Follow

How to Configure High Availability

Version 2.5 Versions 3.0 and 5.0

Applies to Platform: UTM 3.0, 4i Edge 3.0, UTM 5.0,
Last Updated: 9th of Febrauary 2016

Applies to Platform: UTM 2.4, UTM 2.5, 4i Edge >2.5
Last Updated: 23rd April 2014

This lesson will illustrate the necessary steps to configure a high availability cluster (active-standby) between two Endian appliances. This will allow a seamless failover transition to a secondary Endian appliance, in the event of a hardware failure on the primary appliance. This provides unparalleled hardware availability and redundancy for critical network operations and security.

Note

HA does currently not support the automatic synchronisation of the hotspot's database.

Background Information

The Endian high availability system is supported on both Endian hardware and software. Whether choosing hardware or software, the high availability module requires completely identical hardware platforms (e.g. 2 Minis, 2 Macros, 2 identical x86 systems, etc.). Something else important to note when deploying high availability is that you must provide a duplication method for each and every connection to the Endian appliance. Every connection the primary unit has (WAN, LAN, etc.) must be replicated across the standby unit to ensure complete replication capabilities exist (see example below).

Warning

The HA system is created starting from two identical, standalone appliances: That means, each appliance must have its own IP addresses and network zones configuration, uplinks, and services. In particular, the IP address and subnet of the GREEN zone of each appliance must be different. Whenever the HA is deactivated, they will be brought back to their original configuration.

Configuration Example

Network_Diagram_-_High_Availability_No_VLAN.jpg

In the scenario used as example, each network on the Master (WAN, LAN, etc.) is connected to an external managed switch, and the corresponding ports on the Slave must be able to communicate with those on the master, i.e., they must lay in the same network. Although not necessary, it is suggested to change the default GREEN IP Address from 192.168.0.15 to a different one, this would help in case of migration of a node.

Note

You can setup a HA system with VLANs defined, it is sufficient than the ports are assigned correctly: Hence, if eth0 is assigned to the GREEN on VLAN 100 in the master, then eth0 must be assigned to the GREEN on VLAN 100 the slave as well, like shown in the next image.
Network_Diagram_-_High_Availability_01.jpg

Another option is to replace a single managed (VLAN capable) switch with smaller, separate switches for each Endian zone (WAN, LAN, etc.). This may not be cost-effective and could be less reliable since the failure of any switch could break failover partially or completely.

Configure HA Primary Unit

mceclip0.png

The first thing that needs to be done is to put the MAC address of the interface that is currently associated to the main uplink into the Advanced settings -> Use custom MAC address section (in the example above, you would need then to write the MAC address of eth0 interface into the custom MAC address field). If you have more than one uplink, you will need to do the same for all the other uplink, by filling the custom MAC address field with the MAC address of the related associated interface.

This is needed because, during the Endian HA failover, the RED interface MAC address does not automatically get replicated during failover onto the standby unit. Due to this, in order to maintain network connectivity there is the need for next hop ISP device to continue to see the same MAC address associated to the uplink IP in order to correctly send packets. This will ensure that when the HA is activated the MAC address will carry over to the standby unit and will not require manual intervention.

?name=media_1303155614454.png

Screenshot_from_2016-01-14_19_01_49.png

The next thing is to configure the HA settings on the primary HA unit which can be found under Services > High Availability. Here we'll configure this device to run as "Master" and then be sure to fill out all of the fields including the notification options so you know when / if you have an HA failure.

Note the default HA management network of 192.168.177.0 /24. This can be configured for any non-existing private network address space (RFC 1918).

The Spanning Tree Protocol (STP) is a dedicated solution for the configuration of High Availability in gateway mode. While choosing to enable the STP option, a port on the slave side will be closed when necessary, to avoid loops.

In order to configure the STP bridge priority, you will have to select 1 on the Master side, and 2 or higher on the Slave side.

Click on Save and Apply to continue.

Note

Keep in mind the management network will be created as an interface on the GREEN network, so you will see it show up on the device or when viewing the network status. You will not, however, lose your existing GREEN network(s) nor should you have to make any changes to your GREEN network(s) as a result

Configure the HA Slave Unit

?name=media_1303156034143.png

Screenshot_from_2016-01-15_18_21_02.png

Next, we'll configure the HA settings on the slave HA unit. Here we'll configure the side as "Slave" and then just point it to the Master IP address we just previously configured and provide the root (SSH) password for the HA primary unit.

Click Save and Apply to continue and begin the HA active-standby process.

Warning

It’s also important to note that when setting up high availability once you configure both sides, primary and active, and are then ready to apply the configuration you will temporarily lose connectivity to the device as the management network is created and then the two devices begin to synchronize.

Verify HA

?name=media_1303156455630.png

Ha_config.png

Once you have configured the service correctly and applied the change, you should see a confirmation dialog on the master unit (see above).

If you click on Go to Management GUI, you should see the GUI of the slave appliance, which has only a limited set of functions.

Screenshot_from_2016-01-18_13_24_47.png

If this web interface cannot be visualized, it might be necessary that you add an iptables rule on tour local workstation, to allow you to reach the HA management network using the Master's GREEN IP as gateway.

Note

Now that you have successfully setup your Endian HA, any change you make on the primary unit will automatically get synced to the slave unit with the exception of updates, upgrades or device backups (these have to be performed manually on the slave unit). Due to this fact, the slave unit will become unaccessible on it’s old (GREEN) IP address and is only reachable on its new management IP. The slave Endian unit will automatically switch to an
informational-only web interface that you can access to check the status of the device or perform the basic manual functions as required.
Have more questions? Submit a request

Comments

  • Avatar
    Romeo Andreica

    The diagram is misleading because the direct cable is not needed any more and there is no need to set up VLANs on Endian.

  • Avatar
    Fabian Aravena

    Question:

    If i need two zones (WAN and LAN) i need two NIC cards and 1 switch L3?

    The network diagram isn't helpful so much, you should to upload a new diagram with better explanation.

    Thanks from Chile.