Device HA (High Availability) in uOS 1.31

Zyxel_Claudia

Device HA ensures uninterrupted network connectivity by deploying two firewalls in an active-passive setup. If the active device fails or loses connectivity, the passive device takes over automatically to maintain network stability.

1. Requirements of Device HA

• Requires Same Model & Firmware: Both firewalls must be the same model and firmware version
• Single License Required: Only one firewall needs a security license, which gets transferred to the primary unit
• Heartbeat Connection: Uses the last Ethernet port (e.g., port 8 for 200H, port 12 for 500H/700H)
• Nebula Requirement: Both devices must be registered in the same Nebula organization
• Device HA is NOT supported on USG FLEX 100H or USG FLEX 50H

2. Heartbeat Connection & Failover Triggers

Heartbeat: The firewalls communicate via a heartbeat signal every 2 seconds using UDP port 694.

If the passive firewall misses 2 heartbeat signals, it assumes the active roleFailover occurs if:

• Active firewall monitored interface link down
• Active firewall monitored Connectivity Check failure
• Heartbeat timeout
• Firmware upgrade occurs

3. Configuration Synchronization

There are two types of synchronization in Device HA:

• Full Synchronization (Happens During Initial Pairing & Manual Sync)

Manual Full Sync: Run CLI command on active firewall

• Incremental Synchronization

Happens automatically when changes are made to the active firewallUpdates sync to the passive firewall within 5 seconds

Note: DO NOT manually configure the passive firewall! All changes must be made on the active device.

4. Avoiding Heartbeat Conflicts & Common Issues

What Happens If the Heartbeat Link is Disconnected?

• Both firewalls become active → Causes network conflicts
• After a conflict, the secondary will revert to passive state

5. Deploying Device HA: Step-by-Step Setup

Step 1: Prepare Your Devices

• Register both firewalls in the same Nebula organization
• Upgrade to the latest firmware version
• Remove any existing settings on the last Ethernet port (for heartbeat)

Step 2: Configure the Primary Firewall

• Enable Device HA
• Select Primary Role
• Set up Management IPs(Optional) Configure Monitored Interfaces for failover

Step 3: Configure the Secondary Firewall

• Enable Device HA
• Select Secondary Role
• Click Apply (management settings will auto-sync from primary)

Step 4: Connect Heartbeat Port

• Use direct cable connection for best performance

Step 5: Verify HA Status

Check logs for:

• "Paired Complete" and Active & Passive roles properly assigned
• In GUI Dashboard, active firewall is labeled "Active Node"
• Run CLI command for detailed sync status: show state vrf main device-ha debug sync-info