NSA3600 primary/secondary & licensing mismatch - looking for best solution
lostbackups
Newbie ✭
My company has a HA pair of NSA3600's and the local firewall name/license of ABC123 is configured as primary and DEF456 is the secondary device. However, I've just discovered that we've been paying our licensing on DEF456 and mysonicwall.com shows that one is the primary device and ABC123 is the secondary one. So depending on how you look at it, the configuration and/or the licensing is backwards. Now I'm looking for the most sensible solution.
I called into support was told that I would likely have to factory reset each device and then change the HA primary/secondary to be correct and then import the backup config. It was something along those lines but we ended the call since I wont be able to address the issue for a few weeks. Until then, I was hoping to find exact steps to take in the Sonicwall knowledgebase to change the HA pair. I found this article about replacing an HA primary unit, which I think is what I want: https://www.sonicwall.com/support/knowledge-base/how-do-i-replace-a-primary-high-availability-ha-unit/170504697399113/
Alternatively, I was thinking that maybe it would be easier to just have the license transferred from DEF456 to ABC123 and that would be good but in calling support they told me I would have to purchase stand alone licenses for the units first before they could transfer.
Anyway, I'm just looking for some additional guidance and help from someone who's dealt with this before.
Answers
I also found this article which includes a bit more detail: https://www.sonicwall.com/support/knowledge-base/how-to-replace-the-primary-sonicwall-in-a-ha-pair/170505579151355/
The most sensible solution is to document what you know about the setup and leave it alone. If it's functioning as it should than why go through the hassle? Then during the next upgrade cycle correct the issue with the new units.
If you have a very simple config than I could see wanting to do the switch, and I would follow the KB you found. It's hard to say if anyone has ever ran into this exactly as you have, let alone can provide guidance on it.
I've never had to replace a production primary HA unit because none have ever failed on me.
Just my 2 cents.
While it does function correctly for the most part, there are still problems that stem from this incorrect configuration and it is something that needs to be fixed. There are always problems with the HA pair during firmware upgrades and (more recently) I purchased NSM (SaaS) and it is not able to acquire the primary device since the license shows mismatched.
Additionally, one should always follow the correct procedures to set something up properly the first time and take the necessary steps to resolve an incorrect setup. Just leaving alone might seem like a good idea if nothing is breaking, but I find that there will inevitably be some issue that comes up at some point in time because something was done wrong. Case and point with NSM.
Hi @LOSTBACKUPS,
We have just two options here,
If our Customer Service can confirm that license transfer is possible between these units, then the job is easy.
I would recommend to factory reset both the units, perform the HA association between primary and secondary units in the MySonicWall, configure the Primary unit enabled with HA, connect the secondary unit to primary unit for settings sync between these.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Thanks for the input Saravanan. Regarding the factory reset you mentioned, I would want to approach that very carefully so as to avoid any massive issues in the event we can't re-import the backup config (for whatever reason) and I have to manually re-configure all the rules and everything.
Ideally, I would want to not have both units factory reset at the same time. Would it be possible to approach it in a way that we can factory reset the correct primary unit, import the config and make sure that the single unit is working, and then afterwards, factory reset the secondary and then finally set up the HA?
Yes, possible.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I understand but will also warn you NSM does not always play nice with Gen6 devices. Start with a test setup before going full production.
Really? If there were issues with Gen6 NSA's, why would Sonicwall sell/support NSM for those models? I don't really have a way to do a test setup for the 3600's so I'll have to take the chance. If it doesn't work, I will have to see about getting refunded, and that would be unfortunate.
Hi @lostbackups,
NSM supports Gen 6 Firewalls running SonicOS 6.x and higher. A Minimum version of SonicOS 6.5.4.6 is required for the 7-day reporting feature. Please refer below FAQ KB link for more info.
Hope this helps.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
See my comment, the issues i described were specifically with Gen6 devices.
Why does any company do anything?
Yeesh.. well honestly, the only reason I want to use NSM right now is for the firewall analytics, auditing and reporting functionalities. I'm using some other products for that right now and they are just terrible. I am hoping the new NSM will a least be somewhat better even if its still new.
FWIW I'm on firmware 6.5.4.6-79n
According to TKWITS its not "error free" at all :/