Rescue Sophos UTM HA Slave Node with manual update

Last week I needed to reinstall one node within a Sophos UTM HA system. The new node had three missing updates, compared to the live system. I reconfigured the HA configuration to “automatic” and connected both UTMs together at the HA interface. They could see each other but the slave device couldn’t get updates. So I needed to install the updates manually. This was my situation:

<M> utm:/root # ha_utils
– Status ———————————————————————–
Current mode: HA MASTER with id 1 in state ACTIVE
— Nodes ———————————————————————–
MASTER: 1 Node1 198.19.250.1 9.407003 ACTIVE since Mon Oct 10 13:17:26 2016
SLAVE: 2 Node2 198.19.250.2 9.357001 UP2DATE since Mon Oct 10 13:17:43 2016
— Load ————————————————————————
Node 1: [1m] 1.12 [5m] 0.96 [15m] 0.93
Node 2: [1m] 0.02 [5m] 0.05 [15m] 0.06

– Kernel ———————————————————————–
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
ppp sync: off
port smtp: 25
port pop3: 8110
port ftp: 2121

– PostgreSQL ————————————————————————
(N/A)

I tried to connect via SSH but I got always this error message:

<M> utm:/root # ha_utils ssh

Connecting to slave 198.19.250.2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
40:5d:86:75:60:74:60:47:7e:53:78:1f:e6:20:a2:e0 [MD5].
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /etc/ssh/ssh_known_hosts:22
ECDSA host key for 198.19.250.2 has changed and you have requested strict checking.
Host key verification failed.

I renamed the trustet hosts file to establish a new connection:

<M> utm:/root # mv /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts_backup
<M> utm:/root # ha_utils ssh

Connecting to slave 198.19.250.2
The authenticity of host ‘198.19.250.2 (198.19.250.2)’ can’t be established.
ECDSA key fingerprint is 40:5d:86:75:60:74:60:47:7e:53:78:1f:e6:20:a2:e0 [MD5].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘198.19.250.2’ (ECDSA) to the list of known hosts.
loginuser@198.19.250.2’s password:

I downloaded the specific update files to the tmp-folder of the master UTM:

<M> utm:/tmp # mkdir my-updates
<M> utm:/tmp # cd my-updates/
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.357001-404005.tgz.gpg
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.405005-406003.tgz.gpg
<M> utm:/tmp/my-updates # wget ftp://ftp.utm.de/UTM/v9/up2date/u2d-sys-9.406003-407003.tgz.gpg

after this I copied the files via SCP to the slave unit:

<M> utm:/tmp/my-updates # scp u2d-sys-9.357001-404005.tgz.gpg loginuser@198.19.250.2:/tmp
<M> utm:/tmp/my-updates # scp u2d-sys-9.405005-406003.tgz.gpg loginuser@198.19.250.2:/tmp
<M> utm:/tmp/my-updates # scp u2d-sys-9.406003-407003.tgz.gpg loginuser@198.19.250.2:/tmp

then I moved all files to the sys-folder and installed the updates:

<M> utm:/tmp/my-updates # ha_utils ssh
<S> utm:/tmp # mv u2d-sys-9.357001-404005.tgz.gpg /var/up2date/sys/u2d-sys-9.357001-404005.tgz.gpg
<S> utm:/tmp # mv u2d-sys-9.405005-406003.tgz.gpg /var/up2date/sys/u2d-sys-9.405005-406003.tgz.gpg
<S> utm:/tmp # mv u2d-sys-9.406003-407003.tgz.gpg /var/up2date/sys/u2d-sys-9.406003-407003.tgz.gpg
<S> shb:/var/up2date/sys-install # auisys.plx

after a restart and the sync process, the cluster works again properly:

<M> utm:/tmp/my-updates # ha_utils
– Status ———————————————————————–
Current mode: HA MASTER with id 1 in state ACTIVE
— Nodes ———————————————————————–
MASTER: 1 Node1 198.19.250.1 9.407003 ACTIVE since Mon Oct 10 13:17:26 2016
SLAVE: 2 Node2 198.19.250.2 9.407003 ACTIVE since Tue Oct 11 09:22:33 2016
— Load ————————————————————————
Node 1: [1m] 0.98 [5m] 1.60 [15m] 2.03
Node 2: [1m] 0.18 [5m] 1.12 [15m] 1.18

– Kernel ———————————————————————–
Current mode: enabled master
interface: eth3
Local ID: 198.19.250.1
debug: off
verbose: off
ppp sync: off
port smtp: 25
port pop3: 8110
port ftp: 2121

– PostgreSQL ————————————————————————
primary | standby | lag | bytelag
———+———+————–+———-
1 | 2 | 00:00:00.5 | 0

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.