New Feature                                               Need help? Try our Zyxel Search AI feature Try Now!

Zyxel USG FLEX H Series [HA] - Setup Device High Availability (HA PRO) HA - High Availability (HA PRO) icon

Avatar
Raphael
  • Updated

The Device HA (High Availability) (HA PRO) solution guarantees continuous network connectivity by utilising a pair of firewalls figured in an active-passive setup. In this configuration, the active firewall handles traffic under normal conditions while the passive firewall remains on standby. Should the active device fail, the passive device automatically takes over as the active firewall within seconds, ensuring minimal disruption and maintaining seamless network operation.

Introduction of the Device High Availability

The following features can be transferred to the secondary Zyxel Device when it becomes active using Device HA:
  • Start-up and Running Configuration
  • Signatures
  • Device Insight
  • External Block List
  • DHCP Leasing Entries
  • Two-factor Authentication
  • Certificates
  • Licenses Including NCC if applicable
  • Zyxel Device Time

Requirement

  • The HA device requires the same firewall model and must install the same firmware version.
  • Both devices must be registered with the same organization.

Note: When configuring High Availability (HA) on USG FLEX H series devices, it is essential that both devices are registered under the same organization.
The active device must be assigned to the main site where your other devices are located.
The passive device can be assigned to an additional site or registered in the organization without a site assignment — this does not affect HA Pro functionality.

Firmware VersionSupport Paired Model
From 1.31USG FLEX 200HUSG FLEX 200H
USG FLEX 200HPUSG FLEX 200HP
USG FLEX 500HUSG FLEX 500H
USG FLEX 700HUSG FLEX 700H

Primary and secondary device roles

  • The roles of the primary and secondary devices are defined before deployment and remain unchanged during device operation.
  • Active and passive mode states can dynamically change during failover.

Note: After completing the HA synchronization, the passive device is automatically removed from its site (if it was previously assigned). You can manually delete the now-empty site, as it is no longer needed after the pairing process. Important: Do not remove the passive device from the organization, as this will break synchronization between the active and passive devices.

Heartbeat Port

Device HA uses a dedicated heartbeat link between an active and a passive device for status syncing and to trigger failover and back up to the passive device if the active device becomes unresponsive. On the passive device, all ports are disabled except for the port with the heartbeat link.
In the following example, Zyxel Device A is the active device that is connected to the passive device Zyxel Device B through a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link.
  • A dedicated heartbeat port with a direct connection between the devices to monitor each other's status
  • The heartbeat port for each model is pre-defined

Device HA Prerequisites

  • Ensure both primary and secondary devices meet the following:
  1. Same model – Both must be USG FLEX 200H; different models (e.g., 200H vs. 200HP) are not supported.
  2. Same firmware – Must run the same version (uOS 1.31 or later).
  3. Same Nebula Organization – Both must be registered under the same Organization.
    • Assign the primary to Site 1
    • Assign the secondary to Site 2

Note: It is highly recommended that the device registration steps on Nebula be completed before pairing HA.

  • Enable SSH – SSH must be enabled on both devices (System > SSH) using port 22 for Device HA sync.
  • Management IP Subnet – Only 255.255.255.0 is supported.

Set up the Device HA

Note: During the initial HA setup, the primary (active) device must have an active Internet connection.
Internet connectivity is required to complete device registration, retrieve essential service and license information, and perform full configuration and licensing synchronization with the secondary device. The secondary (standby) unit does not require direct Internet access during the HA setup process, as all necessary data is replicated from the primary device.

When you first initialize the device, if you plan to use HA Pro, you must select "Web Configurator

To set up the Device HA feature, please log into the Zyxel firewalls web interface and navigate to:

Set up Device HA on the active Zyxel Device in System > Device HA > HA Configuration.

Choose the type of Mac address responsibly, as this setting cannot be changed once HA is activated. To make further changes, you will need to deactivate HA, make the changes, and then set up HA again. 

Check the HA status in System > Device HA > HA Status

Check the HA  log of the active Zyxel Device in System > Device HA > HA Log

Configure Device HA on the passive Zyxel Device in System > Device HA > HA Configuration.

Enable - HA Configuration (No further action is required at this stage. After activating HA on the passive device, disconnect all network connections from it, then connect the heartbeat cable from the active device to the passive device.)

Warning IMPORTANT: Enabling the secondary device's High Availability (HA) will:
• The device's WAN/LAN ports will link down.
• Log out current web GUI session

Connect the heartbeat Ethernet cable between the active and passive Zyxel Devices.

Verify the HA status of the active and passive Zyxel Devices in System > Device HA > HA Status.

Check the logs on the active Zyxel Device in System > Device HA > HA Log.

When you log into a Zyxel Device after Device HA pairing, you will see a banner to show if you are logged into the active or passive Zyxel Device.

You will also receive an email notification that the High Availability (HA) pairing process for your device(s) has been completed.

Failover Success - Log

Error Handling

The firewall will detect if the device firmware or model is different

Pairing Failed Status:

  • Cannot get MAC/SN correctly from certificate
  • Device registration failed
  • Device firmware or model mismatch detected
  • Devices belong to different organization
  • Device ownership mismatch
  • Device is not assigned to a site

Example 1: How to Check Device HA Status

usgflex500h> show state vrf main device-ha status
status
    enabled true
    pairing-state paired
    pairing-msg Paired
    ha-health-state connected
    local-state passive
    local-role primary
    active
        role secondary
        sn S212L4029XXXX
        icon-color on
        ..
    passive
        role primary
        sn S212L4029XXXX
        icon-color on
        ..
    ..
usgflex500h> show state vrf main device-ha summary
summary
    last-failover-epoch 1735296426
    last-failover-reason "Monitor interface link down"
    last-sync-epoch 1735296121
    last-sync-status Success
    ..

Example 2: Force a Full Synchronisation

[Active]

usgflex500h> cmd device-ha force-sync full
OKusgflex500h>

[Passive]

usgflex500h> cmd device-ha force-sync full
This command can only be used on active device.

Example 3: How to Check Synchronisation State?

[Passive]

usgflex700h> show state vrf main device-ha _debug sync-info
sync-info
    op-state passive
    msg "[Full sync(1024)] Received file sync event."
    date 2024/12/30-11:13:37
    ..
sync-info
    op-state passive
    msg "[Full sync(1024)] Full sync start..."
    date 2024/12/30-11:13:37
    ..
sync-info
    op-state passive
    msg "[Neoagent Certificate(8)] Neoagent Certificate sync start..."
    date 2024/12/30-11:13:37
    ..
sync-info
    op-state passive
cert_neoagent.tar.bz2 download success!"
    date 2024/12/30-11:13:37
    ..

Please Note:
uOS 1.31 prevent users apply configuration on GUI ,CLI and NCC live tool when Device HA paired
Reason is avoid applying configuration where HA is not activated


 

Related articles

Comments

0 comments

Please sign in to leave a comment.