Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rma-replace-reconfigure-HA

Reconfigure HA devices in active-passive mode after an RMA

You can replace high availability (HA) devices and reconfigure HA in active-passive mode after an RMA. The steps here only apply to HA active-passive mode and not to HA active-active mode.

Warning

An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.

Requirements

The requirements are as follows:

  • Check if the model and revision of the replacement device are correct.

  • Check the firmware version and build of the working firewall and the replacement firewall. To do this, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 4 to select Device Console.

    3. Run system diagnostics show version-info and check the firmware version and build of both firewalls.

      Example:

      Initial primary.

  • Download the latest firmware. See Download firmware.

    Tip

    We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.

  • Check which firewall is the initial primary device. To do this, do as follows:

    1. Sign in to the web admin console.

    2. Go to System services > High availability and check which firewall is the initial primary device.

      Example:

      Initial primary.

Configuration

After an RMA, you can replace the auxiliary or the primary device and reconfigure HA.

You want to replace the auxiliary device with the replacement device and reconfigure HA in active-passive mode. In this scenario, the healthy primary device is running as a standalone HA device.

Configure the replacement device

On the replacement device, do as follows:

  1. Reimage the replacement device to the same firmware and build version as the healthy primary device. See Reimage the firewall using a USB flash drive. You can skip this step if the firmware version and build are the same on both firewalls.
  2. Connect a DHCP-enabled laptop or desktop to port 1 on the replacement device and go to https://172.16.16.16:4444 to sign in.
  3. Connect a network cable to port 2 on the replacement device and configure the WAN interface to allow internet access using the setup assistant. Don't configure any other interfaces.
  4. Claim the replacement device in Sophos Central and transfer the license from the faulty auxiliary device to the replacement device. See Transfer licenses in HA devices.
  5. Disconnect the cables from the faulty auxiliary device and connect them to the replacement device.

Configure the healthy primary device

On the healthy primary device, do as follows:

  1. Go to System services > High availability and click Disable HA.

  2. Check that the msync service shows as UNTOUCHED or STOPPED. To do this, do as follows:

    1. Sign in to the CLI console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. Run service -S | grep msync.

      Example:

      Msync status.

Reconfigure HA

Configure HA in active-passive mode with the healthy primary device as the primary device and the replacement device as the auxiliary device. See Configure active-passive HA.

You want to replace the faulty primary device with the replacement device and reconfigure HA in active-passive mode. In this scenario, the auxiliary device is running as a standalone HA device.

Deregister the healthy auxiliary device from Sophos Central

To deregister the healthy auxiliary device, do as follows:

  1. Sign in to the healthy auxiliary device and go to Sophos Central and click Deregister.
  2. Sign in to your Sophos Central account and go to My Products > Firewall Management and click Firewalls. Make sure that the healthy auxiliary device isn't shown.

Configure the replacement device

To configure the replacement device, do as follows:

  1. Sign in to the healthy auxiliary device and go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup-restore.
  2. Reimage the replacement device to the same firmware and build version as the healthy auxiliary device. See Reimage the firewall using a USB flash drive. You can skip this step if the firmware and build version are the same on both firewalls.
  3. Connect a DHCP-enabled laptop or desktop to port 1 on the replacement device and go to https://172.16.16.16:4444 to sign in.
  4. Connect a network cable to port 2 on the replacement device and configure the WAN interface to allow internet access using the setup assistant. Don't configure any other interfaces.
  5. Claim the replacement device in Sophos Central and transfer the license from the faulty primary device to the replacement device. See Transfer licenses in HA devices.
  6. Restore the configuration backup to the replacement device. See Backup-restore.

  7. Disconnect the cables from the healthy auxiliary device and connect them to the replacement device.

    Warning

    This step results in downtime. After you've correctly connected the cables to the replacement device, it starts serving traffic and operates as a standalone HA device.

Configure the healthy auxiliary device

To configure the healthy auxiliary device, do as follows:

  1. Reset the healthy auxiliary device to factory default settings. See Reset to factory settings.
  2. Connect a DHCP-enabled laptop or desktop to port 1 on the healthy auxiliary device and go to https://172.16.16.16:4444 to sign in.
  3. Connect a network cable to port 2 on the healthy auxiliary device and configure the WAN interface to allow internet access using the setup assistant. Don't configure any other interfaces.
  4. Claim the healthy auxiliary device in Sophos Central. See Set up your Sophos Firewall and claim it in Sophos Central.
  5. Disconnect the cables from the faulty primary device and connect them to the healthy auxiliary device.

Reconfigure HA

Configure HA in active-passive mode with the replacement device as the primary device and the healthy auxiliary device as the auxiliary device. See Configure active-passive HA.