Here in this article we will understand how to resolve the issue when we are unable to enable HA after replacing old XG with new XG.
You can reproduce the issue by following the below steps:
Reproducing The Issue:
Suppose think like you have three firewalls A, B and C. Here A is acting a primary firewall, B is auxiliary firewall and C is new firewall.
Primary firewall A and auxiliary firewall B be established with high availability.
Disable HA from primary firewall A
Replace auxiliary firewall B with new auxiliary firewall C. Make sure configuration of C is similar to B.
Configure HA again between primary firewall (A) with new auxiliary firewall (C)
At this point of time, Firewall A still point to firewall B finger print and IP address. So it will block access firewall A to access firewall C via SSH as firewall C finger print address is different.
Work around for this issue is to remove known host file from this directory (/tmp/.ssh/known_hosts). Please login to sophos firewall CLI, you can use following article for the same:
Select option 4 (Device Management) and then option 3 (Advanced Shell), execute the below command: “rm -rf /tmp/.ssh/known_hosts”
Once you execute the below command, reestablish HA again.
Now HA will be established.
Hope this article helps you.