Firewall High Availability [HA Pro] - Configure Device HA Pro

This guide will help you to set up Device HA Pro on Zyxel firewalls. The Device HA Pro feature was previously activated through a license, but this is not the case anymore. If your device still needs a license, the device isn't on the newest firmware [USG FLEX, ATP].

1. Overview

2. Active Device Setup

3. Passive Device Setup

4. Troubleshooting Tips

 

Important information: Both devices must be the same model and registered in the same myZyxel.com account. The licenses have to be transferred to the active device. When the active firewall fails, every license will be automatically transferred to the passive firewall.
Before you begin the deployment, please make sure that the following conditions are met:
  1. The passive device should ONLY have a PC connected with Web GUI access and with NO heartbeat cable from the start
  2. The passive device should be RESET and have the same firmware as the active device before the HA Pro config can happen.
  3. The passive firewall should be registered MyZyxel.
  4. Wait for the sys light to blink (passive state) before you connect the rest of the cables.
  5. When configuring a HA Pro successfully, there should be no downtime when pairing devices

What can go wrong? Why can’t see the correct license status from the myzyxel.com server?
On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should enter device’s S/N which with licenses. So you can transfer all of the licenses to “Activate” device, and entering this device’s S/N in frame.

Note: The default bundled one-year Gold Security Pack license of ATP gateways is non-transferable. For Device HA deployment, please contact Zyxel support in your country/region to help you transfer licenses. License Information you can find here: Device HA Pro - Do I need all licenses twice for an HA (high-availability) solution?

How to contact Support Team for License Transfer, please check here: How to contact Support Team?

 

Overview

The Device HA feature acts as a failover when one of the firewalls in the network is dead or can’t access the internet. In Device HA Pro a “heartbeat link” is added for monitoring the interface status and synchronizing settings.

Untitled.png

 

Active Device Setup

To set up the Device HA Pro feature please log into the Zyxel firewalls web interface and navigate to:

Configuration -> Device HA -> Device HA Pro

 

The last physical RJ45 port on the Zyxel firewall is the Device HA Management port (Heartbeat Port). Please make sure that this port is not part of a LAG, VLAN, or bridge interface.

Steps:
• Uncheck the “Enable Configuration Provisioning From Active Device” option.
• Verify that the serial number is the primary device S/N.
• Provide an IP address for the Active Device. (Need to be an address not in use with any of your current interfaces)
• Provide an IP address for the Passive Device. (within the same subnet as above)
• Provide a subnet mask.
• Create a sync password.
• Select the monitor interfaces from the available list and move them over to the member list.
• Configure your desired Failover Detection settings.
• Click the "Apply & switch to Device HA Pro" button.


mceclip4.png

Go to the Device HA tab again to enable the Device HA feature on the active firewall.
• Verify that the Device HA Mode is set to “Device HA Pro”.
• Check the box to “Enable Device HA”.
• Click the "Apply" button at the bottom of the screen to save the settings.
mceclip5.png

 

Passive Device Setup

Note! Only connect your PC to the passive firewall when configuring HA Pro. After you configured the HA Pro and have the same firmware as the active device, then you can connect the heartbeat cable (ONLY!). After the device has booted up and you see the SYS LED light and only the heartbeat port’s LED light be on, you may connect the rest of the ports.


To configure the passive device please connect your computer to the second Zyxel firewall and access the web interface

 Configuration -> Device HA -> Device HA Pro

• Make sure the “Enable Configuration Provisioning From Active Device” is checked.
• Click the "Apply & switch to Device HA Pro" button.
mceclip6.png
Go to the Device HA tab again to enable the Device HA feature on the passive firewall.
• Verify that the Device HA Mode is set to “Device HA Pro”.
• Check the box to “Enable Device HA”.
• Click the "Apply" button at the bottom of the screen to save the settings.
mceclip5.png

Connect an Ethernet cable to the Heartbeat Port (last physical port) on both devices and allow about 5 minutes for the devices to sync all settings. At this point, the Device HA Pro feature is configured and any changes made to the primary (active) firewall will sync to the secondary (passive) firewall.

Note: Please be sure to enable the “Connectivity Check” for the WAN connection(s). Enabling this option will allow the Zyxel firewall to test for internet access and switch over to the secondary internet connection of the passive device if it fails on the active device.

 

For On-Premises mode with High Available (HA) feature enabled, please DO NOT use cloud firmware upgrade. You will need to follow a different procedure to complete the firmware upgrade, please read the SOP. * Applicable models and versions: USG FLEX 500/700, ATP500/700/800 with ZLD5.20 through ZLD5.21 Patch1. 

Device HA - Firmware Upgrade hang / stuck with Loading - How to fix it?

Troubleshooting Tips

 

1. The sync can fail with the messages on the Passive device

The sync can fails with the messages on Passive device:
Retriving Active Firmware version has filed
Retriving Active Firmware version has filed
Retriving Active Firmware version has filed
Device HA Sync has filed when syncing Firmware Version due to bad 'Sync From' or 'Sync Port'.

A possible reason can be FTP service on an Active device has some restrictions so the Passive one can't access it.

Example of the wrong setup:

2. Devices will not sync

    • Make sure both appliances are running the same firmware revision. Both must be running the same firmware version to sync.
    • Make sure both appliances are running the same firmware bank/slot. If the primary device is running firmware slot 1 and slot 2 is standby, the second unit must also be running slot 1 with slot 2 on standby.
    • Make sure only the Heartbeat port (last RJ46 port on appliance [ex: P7]) is connected to the primary device for the first 5 minutes after enabling the Device HA Pro feature. If both devices are connected to a live network at the same time this may cause routing issues, loops and collisions affecting the network.

 3. Unable to access the Passive device

    • Please make sure the devices are done syncing. The initial sync process may take up to 5 minutes.
    • Use the IP address you configured on the Device HA Pro menu for "Passive Device Management IP".

4. I made changes on the Passive device but, they are not syncing on the Master.

    • Once Device HA Pro is configured, any changes to the network configuration should be made on the Master/Primary device. The Passive device is just a slave and changes made here will not be applied to the Primary/Master.

5. SecuReporter license/service is active on firewall, but device cannot be found in SecuReporter

    • When the master device has switched to the passive device and then the SecuReporter license is activated, you might experience the license doesn't sync in SecuReporter, even though it says "active/activated" on the firewall GUI. You need to make the primary device active again, then remove the device and organization on SecuReporter and re-activate the SecuReporter service on the primary device

 

There are other issues, please make a redeploy of Device HA Pro, see here Device HA Pro redeploy

 

 

Articles in this section

Was this article helpful?
2 out of 3 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.