|Title: How to Configure High Availability (HA) in SonicOS Enhanced|
Article Applies To:
Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500,
NSA 2400, NSA 240, NSA 220, NSA 220W, NSA250, NSA250W.
Step 1: Stateful High Availability Cabling Example
The LAN (X0) interfaces are connected to a switch on the LAN network. The WAN (X1) interfaces are connected to another switch, which connects to the Internet.
The dedicated HA interfaces (Gen5) - or the last available copper ethernet interfaces, like X5 on Gen4 Pro models - are connected directly to each other using a crossover cable.
Note: If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, please be aware that it may be necessary to adjust the link activation time on the switch port that the SonicWALL interfaces connect to. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces.
Step 2: “Stateful and Non-Stateful High Availability Prerequisites” refer KBID 6238
Step 3: “Associating Appliances on MySonicWALL for High Availability”
Configuring High Availability (HA) in SonicOS Enhanced
The first task in setting up High Availability after initial setup is configuring the High Availability > Settings page on the Primary SonicWALL security appliance. Once you configure High Availability on the Primary SonicWALL security appliance, you push out the settings to the Backup SonicWALL security appliance. To configure High Availability on the Primary SonicWALL, perform the following steps:
Step 1: Login to the SonicWALL Management Interface and in the left navigation pane, click High Availability > Settings.
Step 2: Select the Enable High Availability checkbox.
Step 3: Under SonicWALL Address Settings, type in the serial number for the Backup SonicWALL appliance. You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the Backup unit. The serial number for the Primary SonicWALL is automatically populated.
Step 4: Click Accept to retain these settings.
Configuring Advanced High Availability Settings
Step 1: In the left navigation pane, click High Availability > Advanced.
Step 2: To configure Stateful High Availability, navigate to the High Availability > Advanced screen and select Enable Stateful Synchronization. A dialog box is displayed with recommended settings for the Heartbeat Interval and Probe Interval fields.
Note: Stateful High Availablility is not supported for connections on which DPI-SSL feature is applied.
When Stateful High Availability is not enabled, session state is not synchronized between the Primary and Backup SonicWALL security appliances. If a failover occurs, any session that had been active at the time of failover needs to be renegotiated.
Step 3: Click OK in the dialog box.
Step 4: If not using Stateful HA Failover, select Enable Preempt Mode. This feature controls the behavior in which the Primary unit will seize the Active role from the Backup after it recovers from an error condition, reboot or firmware upgrade, after it successfully communicates to the backup unit that it is in a verified operational state. Preempt mode is not recommended when enabling Stateful High Availability, because preempt mode forces additonal synchronizations of traffic, which is not recommended on high load networks. In very early SonicOS versions for Gen5, such as v.126.96.36.199, the Preempt Mode checkbox could not be enabled with Stateful High Availability .
Step 5: To back up the firmware and settings when you upgrade the firmware version, select Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware.
Step 6: Select the Enable Virtual MAC checkbox. Virtual MAC allows the Primary and Backup appliances to share a single MAC address. This greatly simplifies the process of updating network routing tables when a failover occurs. Only the WAN or LAN switch to which the two appliances are connected needs to be notified. All outside devices will continue to route to the single shared MAC address.
Step 7: Optionally adjust the Heartbeat Interval to control how often the two units communicate. The default is 5000 milliseconds; the minimum recommended value is 1000 milliseconds. Less than this may cause unnecessary failovers, especially when the SonicWALL is under a heavy load.
Step 8: Set the Probe Level for the interval in seconds between communication with upstream or downstream probe targets. SonicWALL recommends that you set the interval for at least 5 seconds. You can set the Probe IP address(es) on the High Availability > Monitoring screen.
Step 9: Typically, SonicWALL recommends leaving the Failover Trigger Level (missed heart beats), Election Delay Time (seconds), and Dynamic Route Hold-Down Time timers to their default settings. These timers can be tuned later as necessary for your specific network environment.
Step 10: Select the Include Certificates/Keys checkbox to have the appliances synchronize all certificates and keys.
Step 11: Click Synchronize Settings to manually synchronize the settings between the Primary and Backup appliances. The Backup will reboot.
Step 12: Click Synchronize Firmware if you previously uploaded new firmware to your Primary unit while the secondary unit was offline, and it is now online and ready to upgrade to the new firmware. Synchronize Firmware is typically used after taking your secondary appliance offline while you test a new firmware version on the Primary unit before upgrading both units to it.
Step 13: Click
Accept to retain the settings on this screen.
Configuring High Availability > Monitoring settings
On the High Availability > Monitoring page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes.
Refer KBID 7803: UTM - HA: Configuring High Availability > Monitoring settings
Also you can configure Logical/Probe IP address for SonicWALL to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.
Note: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly
Once you finish configuring the High Availability settings on the Primary SonicWALL security appliance and click the Accept button, the Primary will automatically synchronize the settings to the Backup unit, causing the Backup to reboot. You do not need to click the Synchronize Settings button in the Advance tab.
Later, when you click
it means that you are initiating a full manual synchronization and the
Backup will reboot after synchronizing the preferences. You should see a
HA Peer Firewall has been updated
message at the bottom of the management interface page. Note that the
regular Primary-initiated synchronization (automatic, not manual) is an
incremental sync, and does not cause the Backup to reboot.
Testing the configuration
To verify that Primary and Backup SonicWALL security appliances are functioning correctly, wait a few minutes, then power off the Primary SonicWALL device. The Backup SonicWALL security appliance should quickly take over.
From your management workstation, test connectivity through the Backup SonicWALL by accessing a site on the public Internet – note that the Backup SonicWALL, when Active, assumes the complete identity of the Primary, including its IP addresses and Ethernet MAC addresses.
Log into the Backup SonicWALL’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWALL Status: (green ball) Active in the upper right corner. If all licenses are not already synchronized with the Primary unit, navigate to the System > Licenses page and register this SonicWALL security appliance on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.
Now, power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display Logged Into: Primary SonicWALL Status: (green ball) Active in the upper right corner.
If you are using the Monitor Interfaces feature, experiment with disconnecting each monitored link to ensure that everything is working correctly.
Successful High Availability synchronization is not logged, only failures are logged.
High Availability Test / wrench LED status:
|Authored by: Guru Corner on Sun, Jul 7th, 2013 at 6:00 PM
This question has been viewed 34257 times so far.
|Online URL: http://kb.guru-corner.com/question.php?ID=308|
Powered by Guru Corner