Zyxel USG FLEX H Series [HA] - Setup Device High Availability (HA PRO)

Created January 23, 2025 12:41 - Updated April 30, 2025 08:29

Serhii Boiarynov

The Device HA (High Availability) (HA PRO) solution guarantees continuous network connectivity by utilising a pair of firewalls figured in an active-passive setup. In this configuration, the active firewall handles traffic under normal conditions while the passive firewall remains on standby. Should the active device fail, the passive device automatically takes over as the active firewall within seconds, ensuring minimal disruption and maintaining seamless network operation.

Introduction of the Device High Availability

The following features can be transferred to the secondary Zyxel Device when it becomes active using Device HA:

Start-up and Running Configuration
Signatures
Device Insight
External Block List
DHCP Leasing Entries
Two-factor Authentication
Certificates
Licenses Including NCC if applicable
Zyxel Device Time

Requirement

The HA device requires the same firewall model and must install the same firmware version.
Both devices must be registered with the same organization.

Firmware Version	Support Paired Model
From 1.31	USG FLEX 200H	USG FLEX 200H
	USG FLEX 200HP	USG FLEX 200HP
	USG FLEX 500H	USG FLEX 500H
	USG FLEX 700H	USG FLEX 700H

Primary and secondary device roles

The roles of the primary and secondary devices are defined before deployment and remain unchanged during device operation.
Active and passive mode states can dynamically change during failover.

Heartbeat Port

Device HA uses a dedicated heartbeat link between an active and a passive device for status syncing and to trigger failover and back up to the passive device if the active device becomes unresponsive. On the passive device, all ports are disabled except for the port with the heartbeat link.

In the following example, Zyxel Device A is the active device that is connected to the passive device Zyxel Device B through a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link.

A dedicated heartbeat port with a direct connection between the devices to monitor each other's status
The heartbeat port for each model is pre-defined

Device HA Prerequisites

Ensure both primary and secondary devices meet the following:

Same model – Both must be USG FLEX 200H; different models (e.g., 200H vs. 200HP) are not supported.
Same firmware – Must run the same version (uOS 1.31 or later).
Same Nebula Organization – Both must be registered under the same Organization.
- Assign the primary to Site 1
- Assign the secondary to Site 2

Note: It is highly recommended that the device registration steps on Nebula be completed before pairing HA.

Enable SSH – SSH must be enabled on both devices (System > SSH) using port 22 for Device HA sync.
Management IP Subnet – Only 255.255.255.0 is supported.

Set up the Device HA

To set up the Device HA feature, please log into the Zyxel firewalls web interface and navigate to:

Set up Device HA on the active Zyxel Device in System > Device HA > HA Configuration.

Choose the type of Mac address responsibly, as this setting cannot be changed once HA is activated. To make further changes, you will need to deactivate HA, make the changes, and then set up HA again.

Check the HA status in System > Device HA > HA Status

Check the HA log of the active Zyxel Device in System > Device HA > HA Log

Configure Device HA on the passive Zyxel Device in System > Device HA > HA Configuration.

Enable - HA Configuration (No further action is required at this stage. After activating HA on the passive device, disconnect all network connections from it, then connect the heartbeat cable from the active device to the passive device.)

Warning IMPORTANT: Enabling the secondary device's High Availability (HA) will:
• The device's WAN/LAN ports will link down.
• Log out current web GUI session

Connect the heartbeat Ethernet cable between the active and passive Zyxel Devices.

Verify the HA status of the active and passive Zyxel Devices in System > Device HA > HA Status.

Check the logs on the active Zyxel Device in System > Device HA > HA Log.

When you log into a Zyxel Device after Device HA pairing, you will see a banner to show if you are logged into the active or passive Zyxel Device.

Failover Success - Log

Error Handling

The firewall will detect if the device firmware or model is different

Example 1: How to Check Device HA Status

usgflex500h> show state vrf main device-ha status
status
    enabled true
    pairing-state paired
    pairing-msg Paired
    ha-health-state connected
    local-state passive
    local-role primary
    active
        role secondary
        sn S212L4029XXXX
        icon-color on
        ..
    passive
        role primary
        sn S212L4029XXXX
        icon-color on
        ..
    ..

usgflex500h> show state vrf main device-ha summary
summary
    last-failover-epoch 1735296426
    last-failover-reason "Monitor interface link down"
    last-sync-epoch 1735296121
    last-sync-status Success
    ..

Example 2: Force a Full Synchronisation

[Active]

usgflex500h> cmd device-ha force-sync full
OKusgflex500h>

[Passive]

usgflex500h> cmd device-ha force-sync full
This command can only be used on active device.

Example 3: How to Check Synchronisation State?