Overview
The Device HA feature acts as a failover when one of the devices in the network is dead or can't access the internet. Therefore, this is a popular feature for network environments. In Device HA Pro a "heartbeat link" is added for monitoring the interface status and synchronizing settings.
Supported Devices
ZyWALL 110
ZyWALL 310
ZyWALL 1100
USG110
USG210
USG310
USG1100
USG1900
USG2200-VPN
Register Appliance and License
The first step to setting up the Device HA Pro feature is to register the equipment to myZyxel.com (http://portal.myzyxel.com). To register the Zyxel security appliance each must be connected to the internet first to register hardware, activate licenses and sync. To begin please log in to the device web configuration screen and go to menu, Configuration() → Licensing → Registration. From the Registration tab click on the "portal.myzyxel.com" link, enter your myZyxel.com credentials or create an account if you have not done so.
Once the Zyxel appliance is registered you will need to activate the Device HA Pro service license for each device and pair them together. If this is a first time setup, registration and license activation will be completed by the wizard. To create an HA pair, click on the HA Pro tab from the Device Management → My Devices menu on the myZyxel.com page. Select the Setup HA button for the device that will assume the primary device role.
Click the dropdown for the Passive device and select from list.
Now that the appliances and licenses have been registered with myZyxel.com, return to the device web configuration screen and click the Service tab from the registration menu. Click the Service License Refresh button to refresh the services with the myZyxel.com server.
Active Device Setup
To setup the Device HA Pro feature please login to the Zyxel appliance web configuration screen and access menu, Configuration() → Device HA and click the Device HA Pro tab. The last physical RJ45 connection on the Zyxel appliance (example: P7) is the Device HA Management port (Heartbeat Port). Please make sure that this port is not part of a LAG, VLAN or bridge interface.
- Uncheck the "Enable Configuration Provisioning From Active Device" option.
- Verify that the serial number is the primary device S/N.
- Provide an IP address for the Active Device.
Note: This IP must be unique and not conflict with any other interface on the ZyWALL/USG. - Provide an IP address for the Passive Device. (within the same subnet)
- Provide a subnet mask.
- Create a sync password.
- Select the monitor interfaces from the available list and move them over to the member list.
Note: Monitored zones must have a physical port as member. Check port grouping on appliance for details. - Configure your desired Failover Detection settings.
- Click the Apply & switch to Device HA Pro button.
Click the General tab to enable the Device HA feature on the appliance.
- Verify the Device HA Mode is set to "Device HA Pro".
- Check the box to "Enable Device HA".
- Click the Apply button at the bottom of the screen to save the settings.
Passive Device Setup
To configure the passive device please connect your computer to the second Zyxel appliance and access the Configuration() → Device HA menu and click the Device HA Pro tab.
- Make sure the "Enable Configuration Provisioning From Active Device" is checked.
- Click the Apply & switch to Device HA Pro button.
Click the General tab to enable the Device HA feature on the appliance.
- Verify the Device HA Mode is set to "Device HA Pro".
- Check the box to "Enable Device HA".
- Click the Apply button at the bottom of the screen to save the settings.
Connect an Ethernet cable to the Heartbeat (HA) Port on both devices and allow about 5 minutes for the devices to sync all settings.
At this point the Device HA Pro feature is configured and any changes made to the primary (Active) device will sync to the secondary (Passive) unit.
Note: Please be sure to enable "Connectivity Check" for the ALL monitored connection(s). Enabling this option will allow the Zyxel appliance to test for activity and switch over to secondary internet connection or Passive device if Active device was to fail a connection test.
Troubleshooting Tips
- Devices will not sync
- Make sure both appliances are running the same firmware revision. Both must be running the same firmware version to sync.
- Make sure both appliances are running the same firmware bank/slot. If the primary device is running firmware slot 1 and slot 2 is standby, the second unit must also be running slot 1 with slot 2 on standby.
- Make sure only the Heartbeat port (last RJ46 port on appliance [ex: P7]) is connected to the primary device for the first 5 minutes after enabling the Device HA Pro feature. If both devices are connected to a live network at the same time this may cause routing issues, loops and collisions affecting the network.
- Unable to access the Passive device
- Please make sure the devices are done syncing. The initial sync process may take up to 5 minutes.
- Use the IP address you configured on the Device HA Pro menu for "Passive Device Management IP".
- I made changes on the Passive device but, they are not syncing on the Master.
- Once Device HA Pro is configured, any changes to the network configuration should be made on the Master/Primary device. The Passive device is just a slave and changes made here will not be applied to the Primary/Master.
- Why can’t see the correct license status from the myzyxel.com server?
- On the Device-HA Pro setting, there is a function “Serial number of the licensed device for license synchronization”. You should enter the device’s S/N with licenses. So you can transfer all of the licenses to the “Activate” device, and enter this device’s S/N in the frame.
- Note: The default bundled one-year Gold Security Pack license of ATP gateways is non-transferable. For Device HA deployment, please contact Zyxel support in your country/region to help you transfer licenses.
- After licenses are transferred to the primary device, the secondary device has a Trial license only. You can log in to myZyxel.com to check the license status of each device. Here License Service of the Second device:
Comments
0 comments
Please sign in to leave a comment.