Device HA Enhancements in Firmware 1.35: Improved Synchronization, Port Management, Failover Control
Ally Member
Firmware 1.35 brings a powerful set of enhancements to Device HA Pro, designed to improve system resilience, simplify upgrade scenarios, and refine synchronization behavior across firewall pairs. Below are the five key enhancements you need to know.
Enhancement 1: Expanded Full Synchronization Triggers
Previously, full synchronization between active and passive firewalls occurred only during initial pairing or via manual CLI commands. With firmware 1.35, five additional scenarios now trigger a full synchronization automatically:
- Device Reboot (Active)
- If the active firewall reboots, the passive takes over. Once the active device returns, it syncs with the new active unit to ensure configuration parity.
- Device Reboot (Passive)
- When the passive unit reboots, the active device performs a full sync once the passive is back online.
- Firmware Upgrade Process
- A full sync is performed after both firewalls complete a firmware upgrade cycle to ensure the updated configuration is uniformly applied.
- Unpausing Device HA
- Re-enabling HA after it’s been paused will now trigger a full sync to resynchronize both units.
- Heartbeat Link Recovery
- If the heartbeat link between firewalls fails and recovers, a full sync will be triggered after the election process restores the correct roles.
These improvements minimize manual intervention and reduce risks of configuration drift between HA-paired devices.
Enhancement 2: New HA Communication Port (TCP 49058)
Previously, TCP port 22 (SSH) was used for HA communication, which caused conflicts or limitations in certain deployments. With firmware 1.35:
- HA sync traffic now uses TCP port 49058
- This port is reserved by default and cannot be overridden by user policies or configurations.
- Attempts to manually block port 49058 via policy control are overridden by an internal rule.
- If 49058 was previously used for other services (e.g., SSH, HTTPS), a conflict will be logged, and HA will fail until the conflict is resolved.
- CLI command to check sync port:
show state vrf main device-ha status
Enhancement 3: Logged-In User Session Synchronization
To ensure service continuity during HA failover, Zyxel now supports session synchronization for authenticated users:
- Applies to HTTPS admin sessions and Captive Portal users
- Synchronization occurs within 5 seconds of login
- If failover occurs before 5 seconds, the session may be lost
Sessions such as web console and remote access VPN are not included in this enhancement.
This ensures that users don’t need to re-authenticate during HA failover, improving user experience and maintaining connectivity.
Enhancement 4: Accurate Standby Partition Upgrades
Before this update, firmware upgrades in HA environments could mistakenly overwrite the running partition of the passive device, due to mismatched partition mappings between the two firewalls.
Now, the active firewall respects the passive device’s actual partition structure and always installs firmware upgrades to the correct standby partition. This ensures:
- Reliable fallback in case of upgrade failures
- Consistency between both devices’ boot partitions
- Fewer upgrade-related HA errors
This behavior applies to upgrades initiated via Web GUI, FTP, or Nebula Control Center (NCC).
Enhancement 5: Failover Flapping Protection & Manual Reset
Unstable monitored interfaces may cause excessive failover events, disrupting the network. To prevent this:
- Zyxel firewalls now enforce a failover pause count, defaulting to 5 failovers in 5 days.
- After the limit is hit, no further failovers occur until the counter resets.
New CLI Options in Firmware 1.35:
- Check Failover Count
show state vrf main device-ha summary - Reset Failover Count Manually
cmd device-ha failover-pause-count clear - Disable Failover Pause Limit
cmd device-ha failover-pause-count disable
This gives admins more control—especially in demo environments or during controlled failover testing.
Final Notes on WAN Connectivity Checks
- Device HA failover relies on monitor interfaces, not on WAN connectivity check.
- WAN Trunk failover uses connectivity checks to switch between primary/backup WAN links, but this does not trigger Device HA role changes.
- Admins seeking advanced failover scenarios (e.g., failover on Layer 3 issues without link down) are advised to consult application-specific guides or request Zyxel support documentation.
These enhancements make Device HA Pro more reliable, more intuitive, and better aligned with real-world enterprise scenarios. Whether you're managing firmware upgrades or responding to network instability, firmware 1.35 gives you the tools to ensure HA is truly high-availability.
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 193 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 473 USG FLEX H Series
- 311 Security Ideas
- 1.6K Switch
- 82 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 282 Service & License
- 445 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight