HA_Config
High Availability requires one SRA appliance configured as the primary device, and an identical SRA configured as the backup device.
During normal operation, the primary device is in an active state, and services all connections. The backup device is in an idle state. When the primary device loses connectivity, the backup transitions to the active state and begins to service outside connections. The necessary data is synchronized between primary and backup devices, including settings data and session data.
The failover applies to loss of functionality or network-layer connectivity on the primary appliance. The failover to the backup unit occurs when critical services are affected, physical (or logical) link failure is detected, or when the primary unit loses power.
High Availability is supported in SRA 5.0 or higher on the SRA 4200, in SRA 6.0.0.6 or higher on the SRA 4600, and in SRA 7.5 or higher on the SRA Virtual Machine.
High Availability (HA) requires one SRA 4200, SRA 4600, or SRA Virtual Appliance configured as a primary device and an identical SRA configured as a backup device. The HA connection between two SRA appliances is in an Active/Passive state.
See the following sections for configuration information:
• Preparing for High Availability
• Configuring High Availability Settings on a 4200 and 4600
• Enabling Interface Monitoring
• Configuring Network Monitoring Addresses
• Configuring Management Settings for Idle Unit
You can select the interface to use for HA control traffic. The HA link should connect the identical ports of the SRA HA Pair, for example X3 of the primary appliance to X3 of the backup appliance.
During normal operation, the primary device is in an active state and services all connections, while the backup device is in an idle state. When the primary device loses connectivity, the backup transitions to the active state and begins to service outside connections.
Preparing for High Availability
Before configuring the options on the High Availability > Settings page, prepare your devices for High Availability with the following steps:
1. Configure both SRA appliances as separate devices with independent IP addresses on your subnet.
Note SRA appliances in an HA pair cannot be deployed behind a proxy.
2. Upload the latest SRA firmware to both devices. High Availability will not work unless both devices have the same firmware version installed.
3. Connect the X3 interfaces of the two appliances together with a CAT 5E or better cable to ensure a gigabit connection.
Note Dell SonicWALL recommends that you backup and download the settings for both SRA devices at this stage.
4. In a browser, log in to the primary unit and navigate to the Network > Interfaces page. Confirm that the X3 port is active by checking the Status, which should show 1000 Mbps Full Duplex.
Configuring High Availability Settings on a 4200 and 4600
The High Availability > Settings page provides settings for configuring High Availability.
Note The contents of this page vary slightly for a Virtual Machine, as explained in Configuring High Availability Settings on a Virtual Machine.
To enable High Availability and configure the options in the High Availability Settings section, perform the following steps:
1. In a browser, log in to the primary unit and navigate to the High Availability > Settings page.
2. Select the Enable High Availability check box.
The HA interface can only be set when the unit is in the HA unconnected mode, and both units must be set to the same interface.
3. Select the High Availability Interface from the drop-down list. The HA interface can only be set when the unit is in the HA unconnected mode, and the interface must be set to the same interface on both units.
4. Enter a number of milliseconds for the Heartbeat Interval. The heartbeat is used to test the connectivity between the primary and backup devices. The heartbeat interval controls how often the two units communicate. The minimum is 500 milliseconds (a half second), and the maximum is 300,000 milliseconds (5 minutes).
5. Enter a value for the Failover Trigger Level. This is the number of heartbeats that must be missed before failover occurs. The minimum is 4, and the maximum is 99.
6. In the Primary Serial Number field, type in the serial number of the primary device. The maximum length is 12 characters.
7. In the Backup Serial Number field, type in the serial number of the backup device. The maximum length is 12 characters.
9. In the browser, open a new tab and point it to the IP address of the backup unit. Log in to the backup.
10. Repeat 1. through 8. on the backup unit.
When you click the Accept button, the backup device will become IDLE and you will no longer be able to access it with its IP address. The primary device is now Active with the same settings it had before the HA configuration.
The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit will become Active with the same settings as the primary.
Configuring High Availability Settings on a Virtual Machine
The High Availability > Settings page provides settings for configuring High Availability.
To enable High Availability for a Virtual Machine and configure the options in the High Availability Settings section, perform the following steps:
1. In a browser, log in to the primary unit and navigate to the High Availability > Settings page.
2. Select the Enable High Availability check box.
The HA interface can only be set when the unit is in the HA unconnected mode, and both units must be set to the same interface.
3. Select the Primary Appliance check box if this Virtual Machine is the primary appliance in the HA pair.
4. Select the High Availability Interface from the drop-down list. The HA interface can only be set when the unit is in the HA unconnected mode, and the interface must be set to the same interface on both units.
5. Enter a number of milliseconds for the Heartbeat Interval. The heartbeat is used to test the connectivity between the primary and backup devices. The heartbeat interval controls how often the two units communicate. The minimum is 500 milliseconds (a half second), and the maximum is 300,000 milliseconds (5 minutes).
6. Enter a value for the Failover Trigger Level. This is the number of heartbeats that must be missed before failover occurs. The minimum is 4, and the maximum is 99.
7. Click Accept.
8. In the browser, open a new tab and point it to the IP address of the backup unit. Log in to the backup.
9. Configure High Availability on the backup unit.
When you click the Accept button, the backup device will become IDLE and you will no longer be able to access it with its IP address. The primary device is now Active with the same settings it had before the HA configuration.
The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit will become Active with the same settings as the primary.
In the Interface Monitoring section of the page, you can enable monitoring of the working interfaces to which VPN users connect.
The monitored interfaces available for selection are X0, X1, and X2. When Interface Monitoring is enabled and configured, if any of the monitored interfaces loses connectivity on the active unit and is still reachable on the idle unit, failover occurs.
To enable interface monitoring:
1. On the High Availability > Settings page under Interface Monitoring, select the Enable Interface Monitor check box.
2. In the Monitor Interfaces list, select the interfaces that you want to monitor.
3. Click Accept.
Configuring Network Monitoring Addresses
In the Network Monitoring Address section, you can configure monitoring of the LAN and WAN IP addresses. When Network Monitoring is configured, if the LAN or WAN connection is lost on the active unit, but is reachable on the idle unit, failover occurs.
When configured, the LAN and WAN connection status is detected and displayed in the High Availability Status section at the top of the page.
To configure network monitoring:
1. On the High Availability > Settings page under Network Monitoring Address, type the LAN IP address into the LAN Monitoring Address field.
2. Type the WAN IP address into the WAN Monitoring Address field.
3. Click Accept.
Configuring Management Settings for Idle Unit
In the Network Monitoring Address section, you can configure management settings for the idle unit.
High Availability configuration is limited for virtual appliances. Use the High Availability > Settings page to enable High Availability on the virtual appliance, designate it as the primary or secondary unit, and select the interface. Note the following limitations when configuring management settings for a virtual appliance:
• High Availability is not supported on a virtual appliance in Single Network Interface mode.
• The Synchronize Firmware function is not supported for a virtual appliance.
To configure management settings for the idle unit:
1. On the High Availability > Settings page under Management Settings for Idle Unit, check the Enable To Manage Idle Unit check box.
2. Select the Management Interface using the drop-down list.
3. Type the idle unit’s management IP address in the Management Address field.
Note If a management IP address is not entered, the High Availability Status > Backup Status field displays as “not available”, regardless of the actual status of the unit. Please enter the management IP address of the idle unit if you wish to view the status of it.
4. Click Accept.
You can synchronize firmware from the active unit to the idle unit in the HA pair by clicking the Synchronize Firmware button.
This allows you to synchronize firmware between the units after upgrading the active unit to a different version.
Note Synchronizing firmware on a Virtual Appliance is currently not supported.
Synchronize settings by clicking the Accept button. Synchronizing settings does not synchronize firmware, but synchronizes settings from the active to the idle unit.
The appliances in the HA Pair immediately begin to synchronize data from the primary to the backup unit. When failover occurs and the primary is down, the backup unit will become Active with the same settings as the primary.
To synchronize licenses between two SRA appliances in an HA pair, login to MySonicWALL.com and bind the two SRA appliances together. Both appliances will share the primary unit's license information.
Note There is no function in the SRA management interface to synchronize licenses between the two units in the HA pair, all license synchronization is controlled via MySonicWALL.
1. Once HA is enabled, can the idle device be used separately?
No. Once HA is configured, only one device can be in use at any one time. During failover the Idle device will become Active. Two devices in HA mode cannot be used as separate SRA appliances.
2. What will happen if we remove the HA interface cable from the devices?
If you remove the HA interface cable, then the IDLE device can be re-configured to work as a standalone. However, this will cause an IP conflict, as both the primary and backup devices have the same IP configuration.
3. Can the HA interface settings be amended, once HA is enabled?
When HA is configured, the ‘Edit’ button for the HA interface is grayed out and disabled. So the HA interface setting cannot be changed once the devices are in HA mode.
4. Can the X0, X1 and X2 interface settings be amended once HA mode is set up?
Yes, the X0, X1 and X2 interface settings can be amended on the primary device and these new settings will be copied to the backup device.
5. Can the synchronization status between the devices be viewed in the management interface?
Yes. These can be viewed on the Active SRA in the Log > View page. The log message: “Finish synchronizing all data”, will appear.
6. Is there any provision to make sure that the backup device is working correctly?
Yes. There will be many messages on the Log > View page regarding Active and Idle device transitions.
You can check the High Availability page for the device status; one should be ACTIVE and the other will be IDLE, as indicated in the image below:
If the LAN and WAN monitoring IP addresses are configured in the Network Monitoring Address section, the status of those interfaces is displayed.
You can also check the Network > Interfaces page for the X3 interface status, this should be “HA Link-Connected”.
7. Are firmware and settings synchronized to the Idle unit?
Yes, both firmware and settings are synchronized between Active and Idle nodes. The Synchronize Firmware button allows you to synchronize firmware from the Active to the Idle unit. When settings are changed, clicking the Accept button synchronizes settings.
8. Does the HA configuration for SRA 4200 or 4600 devices differ from the HA configuration of Dell SonicWALL firewall devices?
Yes. HA configuration on a firewall is very different. Along with other items, firewall HA is also available in Active/Active state and can be assigned a virtual IP address. HA with SRA devices is currently available only in Active/Passive mode.
9. How are settings applied to the Idle device?
Settings from the Active device are copied over to the Idle device as soon as HA configuration is complete. You can check the success of this in the active device logs.
10.What happens to the backup device settings?
The backup device settings are deleted and replaced with the primary device settings. If you wish to keep any settings from the backup device, it is recommended that you download a backup of the settings before switching to HA.
11. How do I view the status of the Backup unit?
Enter the management IP address of the idle unit into the High Availability > Settings > Management Settings For Idle Unit > Management Address text-field, then click the Accept button. Navigate to the High Availability Status and view the status in the Backup Status field. If the management IP address of the idle unit is not entered, the Backup Status will display as “Not Available”.
12. Can I deploy an HA pair behind a proxy?
No, SRA appliances in an HA pair cannot be deployed behind a proxy. They communicate with the backend servers directly to download signatures etc.