Title: How to Configure High Availability (HA) in SonicOS Enhanced

Article Applies To:

Gen5: NSA E8510,  E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400MX *, NSA 2400, NSA 240, NSA 220, NSA 220W, NSA250, NSA250W.
TZ series: TZ 200, TZ 200 W, TZ 205, TZ 205 W, TZ 210, TZ 210 W.TZ 215, TZ215 Wireless
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040.


Firmware versions:  All Gen5 and Gen4 firmware versions ( SonicOS Enhanced)
Services:  High Availability.


Important Note:  

  • Stateful HA is not supported for connections on which DPI-SSL is applied.
  • On TZ210 units the HA port/Interface must be  UNASSIGNED before setting up HA.


 

  • HA cannot be configured if built-in wireless is enabled, the following warning will be displayed.

 

  • HA cannot be configured if PortShield is enabled, the following warning will be displayed.



 




Initial Setup

Step 1: Stateful High Availability Cabling Example

The LAN (X0) interfaces are connected to a switch on the LAN network. The WAN (X1) interfaces are connected to another switch, which connects to the Internet.

The dedicated HA interfaces (Gen5) - or the last available copper ethernet interfaces, like X5 on Gen4 Pro models -  are connected directly to each other using a crossover cable.

Note: If you are connecting the Primary and Backup appliances to an Ethernet switch that uses the spanning tree protocol, please be aware that it may be necessary to adjust the link activation time on the switch port that the SonicWALL interfaces connect to. For example, on a Cisco Catalyst-series switch, it is necessary to activate spanning tree port fast for each port connecting to the SonicWALL security appliance’s interfaces.

Step 2: “Stateful and Non-Stateful High Availability Prerequisites” refer KBID 6238

Step 3: “Associating Appliances on MySonicWALL for High Availability” 

• " Associating an Appliance at First Registration" refer KBID 6233
“Associating Pre-Registered Appliances” refer  KBID 6235  
“Associating a New Unit to a Pre-Registered Appliance” refer  KBID 6236
“Removing an HA Association” refer  KBID 6230
“Replacing a SonicWALL Security Appliance” refer KBID 6231

 


  Configuring High Availability (HA) in SonicOS Enhanced

The first task in setting up High Availability after initial setup is configuring the High Availability > Settings page on the Primary SonicWALL security appliance. Once you configure High Availability on the Primary SonicWALL security appliance, you push out the settings to the Backup SonicWALL security appliance. To configure High Availability on the Primary SonicWALL, perform the following steps:  

Step 1: Login to the SonicWALL Management Interface and in the left navigation pane, click High Availability > Settings.

Step 2: Select the Enable High Availability checkbox.

Step 3: Under SonicWALL Address Settings, type in the serial number for the Backup SonicWALL appliance. You can find the serial number on the back of the SonicWALL security appliance, or in the System > Status screen of the Backup unit. The serial number for the Primary SonicWALL is automatically populated.

Step 4: Click Accept to retain these settings.  


Configuring Advanced High Availability Settings    

Step 1: In the left navigation pane, click High Availability > Advanced.   

Step 2: To configure Stateful High Availability, navigate to the High Availability > Advanced screen and select Enable Stateful Synchronization. A dialog box is displayed with recommended settings for the Heartbeat Interval and Probe Interval fields.

Note: Stateful High Availablility is not supported for connections on which DPI-SSL feature is  applied.

The settings it shows are minimum recommended values. Lower values may cause unnecessary failovers, especially when the SonicWALL is under a heavy load. You can use higher values if your SonicWALL handles a lot of network traffic. 

When Stateful High Availability is not enabled, session state is not synchronized between the Primary and Backup SonicWALL security appliances. If a failover occurs, any session that had been active at the time of failover needs to be renegotiated.

Step 3: Click OK in the dialog box.

Step 4: If not using Stateful HA Failover, select Enable Preempt Mode.  This feature controls the behavior in which the Primary unit will seize the Active role from the Backup after it recovers from an error condition, reboot or firmware upgrade, after it successfully communicates to the backup unit that it is in a verified operational state. Preempt mode is not recommended when enabling Stateful High Availability, because preempt mode forces additonal synchronizations of traffic, which is not recommended on high load networks.  In very early SonicOS versions for Gen5, such as v.5.0.0.0, the Preempt Mode checkbox could not be enabled with Stateful High Availability

Step 5: To back up the firmware and settings when you upgrade the firmware version, select Generate/Overwrite Backup Firmware and Settings When Upgrading Firmware.

Step 6: Select the Enable Virtual MAC checkbox. Virtual MAC allows the Primary and Backup appliances to share a single MAC address. This greatly simplifies the process of updating network routing tables when a failover occurs. Only the WAN or LAN switch to which the two appliances are connected needs to be notified. All outside devices will continue to route to the single shared MAC address.  

Step 7: Optionally adjust the Heartbeat Interval to control how often the two units communicate. The default is 5000 milliseconds; the minimum recommended value is 1000 milliseconds. Less than this may cause unnecessary failovers, especially when the SonicWALL is under a heavy load. 

Step 8: Set the Probe Level for the interval in seconds between communication with upstream or downstream probe targets. SonicWALL recommends that you set the interval for at least 5 seconds. You can set the Probe IP address(es) on the High Availability > Monitoring screen.  

Step 9: Typically, SonicWALL recommends leaving the Failover Trigger Level (missed heart beats), Election Delay Time (seconds), and Dynamic Route Hold-Down Time timers to their default settings. These timers can be tuned later as necessary for your specific network environment. 

• Heartbeat Interval (seconds) – This timer is the length of time between status checks. By default this timer is set to 5 seconds; using a longer interval will result in the SonicWALL taking more time to detect when/if failures have occurred. 

• Failover Trigger Level (missed heart beats) – This timer is the number of heartbeats the SonicWALL will miss before failing over. By default, this time is set to 5 missed heart beats.This timer is linked to the Heartbeat Interval timer – for example, if you set the Heartbeat Interval to 10 seconds, and the Failover Trigger Level timer to 5, it will be 50 seconds before the SonicWALL fails over.

• Probe Interval – This timer controls the path monitoring speed. Path monitoring sends pings to specified IP addresses to monitor that the network critical path is still reachable. The default is 20 seconds, and the allowed range is from 5 to 255 seconds. 

• Election Delay Time – This timer can be used to specify an amount of time the SonicWALL will wait to consider an interface up and stable, and is useful when dealing with switch ports that have a spanning-tree delay set.

• The Dynamic Route Hold-Down Time – This setting is used when a failover occurs on a High Availability pair that is using either RIP or OSPF dynamic routing. When a failover occurs, Dynamic Route Hold-Down Time is the number of seconds the newly-Active appliance keeps the dynamic routes it had previously learned in its route table. During this time, the newly-Active appliance relearns the dynamic routes in the network. When the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds. In large or complex networks, a larger value may improve network stability during a failover. 

Note: The Dynamic Route Hold-Down Time setting is displayed only when the Advanced Routing option is selected on the Network > Routing page.

Step 10: Select the Include Certificates/Keys checkbox to have the appliances synchronize all certificates and keys.  

Step 11: Click Synchronize Settings to manually synchronize the settings between the Primary and Backup appliances. The Backup will reboot.

Step 12: Click Synchronize Firmware if you previously uploaded new firmware to your Primary unit while the secondary unit was offline, and it is now online and ready to upgrade to the new firmware. Synchronize Firmware is typically used after taking your secondary appliance offline while you test a new firmware version on the Primary unit before upgrading both units to it.

Step 13: Click Accept to retain the settings on this screen.
 



Configuring High Availability > Monitoring settings

On the High Availability > Monitoring page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes. 

Refer KBID 7803: UTM - HA: Configuring High Availability > Monitoring settings

Also you can configure Logical/Probe IP address for SonicWALL to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.

Note: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly

 


Synchronize Settings   

Once you finish configuring the High Availability settings on the Primary SonicWALL security appliance and click the Accept button, the Primary will automatically synchronize the settings to the Backup unit, causing the Backup to reboot. You do not need to click the Synchronize Settings button in the Advance tab.  

Later, when you click Synchronize Settings, it means that you are initiating a full manual synchronization and the Backup will reboot after synchronizing the preferences. You should see a HA Peer Firewall has been updated message at the bottom of the management interface page. Note that the regular Primary-initiated synchronization (automatic, not manual) is an incremental sync, and does not cause the Backup to reboot. 
 


Testing the configuration 

To verify that Primary and Backup SonicWALL security appliances are functioning correctly, wait a few minutes, then power off the Primary SonicWALL device. The Backup SonicWALL security appliance should quickly take over.   

From your management workstation, test connectivity through the Backup SonicWALL by accessing a site on the public Internet – note that the Backup SonicWALL, when Active, assumes the complete identity of the Primary, including its IP addresses and Ethernet MAC addresses.   

Log into the Backup SonicWALL’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWALL Status: (green ball) Active in the upper right corner. If all licenses are not already synchronized with the Primary unit, navigate to the System > Licenses page and register this SonicWALL security appliance on mysonicwall.com. This allows the SonicWALL licensing server to synchronize the licenses.   

Now, power the Primary SonicWALL back on, wait a few minutes, then log back into the management interface. The management interface should again display Logged Into: Primary SonicWALL Status: (green ball) Active in the upper right corner.   

If you are using the Monitor Interfaces feature, experiment with disconnecting each monitored link to ensure that everything is working correctly.   

Successful High Availability synchronization is not logged, only failures are logged.
 


High Availability Test / wrench LED status: 

Authored by: Guru Corner on Sun, Jul 7th, 2013 at 6:00 PM
This question has been viewed 34257 times so far.
Online URL: http://kb.guru-corner.com/question.php?ID=308

Powered by Guru Corner