Device HA
Device HA Overview
Device HA lets a backup (or passive) Zyxel Device (B) automatically take over if the master (or active) Zyxel Device (A) fails.
Device HA and Device HA Pro Differences
Models that came with firmware versions 4.10 to 4.25 support both Device HA and Device HA Pro (you need a license) even after upgrading to versions 4.30 and later. Models that came with firmware versions 4.30 and later only support Device HA Pro.
Note: See
Overview to see which models support Device HA and/or Device HA Pro.
Device HA Vs Device HA Pro
feature | Device HA | Device HA Pro |
License | None required. | Need a license. |
Role | Role of Master and Backup is configurable. Master takes over from Backup if the Master goes down and then becomes the Master again if it comes back online again (failback). | Role of active and passive is not configurable. The active model is the one whose heartbeat interface comes online first. The passive becomes active if active goes down and stays active even if the previous active comes online again. |
Firmware Upgrade | Master remains Master by default when new firmware is uploaded. | If Device HA Pro is enabled, then both the active and passive Zyxel Device must be online and connected in order to upload firmware. New firmware is first uploaded to the passive device and then uploaded to the active device. By default, the passive device reboots after firmware upload making it become the active device. Don’t select the Reboot prompt after uploading firmware to the passive device if you want the passive device to remain passive when new firmware is uploaded. Alternatively, disable Device HA Pro if you want to just upload firmware to the active Zyxel Device. |
What is synchronized | Configuration file | Configuration file, device time, IPv4/v6 TCP sessions, IPSec VPN tunnels, user login/logout information, AV/IDP signatures, DHCP table, IP/MAC binding table. |
Maximum Failover Count | 0 | 5 (default) to 50. Can be reset by command. |
Best case Failover delay | 10~30 seconds to rebuild connections. | 0~1 seconds. |
Monitored Interfaces | Ethernet | Ethernet, VLAN, Bridge, LAG |
Dedicated monitor port | No | Heartbeat interface.  Remove Ethernet, VLAN, Bridge, LAG configurations from this port first. |
Device HA General
Device HA
• Device HA lets a backup Zyxel Device take over if the master Zyxel Device fails.
• The Zyxel Devices must be set to use the same Device HA mode (Device HA).
Management Access
You can configure a separate management IP address for each interface. You can use it to access the Zyxel Device for management whether the Zyxel Device is the master or a backup. The management IP address should be in the same subnet as the interface IP address.
Synchronization
Use synchronization to have a backup Zyxel Device copy the master Zyxel Device’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates.
Note: Only Zyxel Devices of the same model and firmware version can synchronize.
Otherwise you must manually configure the master Zyxel Device’s settings on the backup (by editing copies of the configuration files in a text editor for example).
Before You Begin
• Configure a static IP address for each interface that you will have Device HA monitor.
Note: Subscribe to services on the backup Zyxel Device before synchronizing it with the master Zyxel Device.
Synchronization includes updates for services to which the master and backup Zyxel Devices are both subscribed. For example, a backup subscribed to IDP/AppPatrol, but not anti-virus, gets IDP/AppPatrol updates from the master, but not anti-virus updates. It is highly recommended to subscribe the master and backup Zyxel Devices to the same services.
The Configuration > Device HA > General screen lets you enable or disable Device HA, and displays which Device HA mode the Zyxel Device is set to use along with a summary of the monitored interfaces.Click on the icons to go to the OneSecurity website where there is guidance on configuration walkthroughs, troubleshooting, and other information.
Configuration > Device HA > General
Label | Description |
Enable Device HA | Select this to turn the Zyxel Device’s Device HA feature on. With Device HA, it is not recommended to use STP (Spanning Tree Protocol) on a switch connected to the Zyxel Device. |
Device HA Mode | This displays whether the Zyxel Device is currently set to use Device HA or Device HA Pro. You need a license to use Device HA Pro. Click the link to go to the screen where you can configure the Zyxel Device to use Device HA pro if it is not currently using it and you have a license. |
Monitored Interface Summary | This table shows the status of the interfaces that you selected for monitoring in the other Device HA screens. |
# | This is the entry’s index number in the list. |
Interface | These are the names of the interfaces that are monitored by Device HA. |
Virtual Router IP / Netmask | This is the interface’s IP address and subnet mask. Whichever Zyxel Device is the master uses this virtual router IP address and subnet mask. |
Management IP / Netmask | This field displays the interface’s management IP address and subnet mask. You can use this IP address and subnet mask to access the Zyxel Device whether it is in master or backup mode. |
Link Status | This tells whether the monitored interface’s connection is down or up. |
HA Status | The text before the slash shows whether the device is configured as the master or the backup role. This text after the slash displays the monitored interface’s status in the virtual router. Active - This interface is up and using the virtual IP address and subnet mask. Stand-By - This interface is a backup interface in the virtual router. It is not using the virtual IP address and subnet mask. Fault - This interface is not functioning in the virtual router right now. In Device HA if one of the master Zyxel Device’s interfaces loses its connection, the master Zyxel Device forces all of its interfaces to the fault state so the backup Zyxel Device can take over all of the master Zyxel Device’s functions. |
Device HA Pro Service | |
Service Status | This shows if Device HA Pro is licensed on the Zyxel Device. If not, click Buy to purchase a license and then click Register Now to activate it at myZyxel. These are the steps to activate a Device HA Pro license on your active and passive Zyxel Devices. 1. Buy a Device HA Pro iCard. The card contains two keys. 2. Register your active and passive Zyxel Devices at myZyxel. 3. Activate the license by entering one key on the active Zyxel Device and the other key on the passive Zyxel Device. It doesn’t matter which Zyxel Device is actually active or passive as this is dynamic in Device HA Pro. |
Register Now | Click the link to go to myZyxel where you can register your Zyxel Device and activate the service. This link is available only when the service is not activated yet. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
The Device HA Screen
Virtual Router
The master and backup Zyxel Device form a single ‘virtual router’.
Cluster ID
You can have multiple Zyxel Device virtual routers on your network. Use a different cluster ID to identify each virtual router.
Monitored Interfaces in Device HA
You can select which interfaces Device HA monitors. If a monitored interface on the Zyxel Device loses its connection, Device HA has the backup Zyxel Device take over.
Enable monitoring for the same interfaces on the master and backup Zyxel Devices. Each monitored interface must have a static IP address and be connected to the same subnet as the corresponding interface on the backup or master Zyxel Device.
Virtual Router and Management IP Addresses
• If a backup takes over for the master, it uses the master’s IP addresses. These IP addresses are known as the virtual router IP addresses.
• Each interface can also have a management IP address. You can connect to this IP address to manage the Zyxel Device regardless of whether it is the master or the backup.
For example, Zyxel Device B takes over A’s 192.168.1.1 LAN interface IP address. This is a virtual router IP address. Zyxel Device A keeps it’s LAN management IP address of 192.168.1.5 and Zyxel Device B has its own LAN management IP address of 192.168.1.6. These do not change when Zyxel Device B becomes the master.
Configuring Device HA
The Device HA screen lets you configure general Device HA settings, view and manage the list of monitored interfaces, and synchronize backup Zyxel Devices.
Configuration > Device HA > Device HA
Label | Description |
Show Advanced Settings / Hide Advanced Settings | Click this button to display a greater or lesser number of configuration fields. |
Device Role | Select the Device HA role that the Zyxel Device plays in the virtual router. Choices are: Master - This Zyxel Device is the master Zyxel Device in the virtual router. This Zyxel Device uses the virtual IP address for each monitored interface. Do not set this field to Master for two or more Zyxel Devices in the same virtual router (same cluster ID). Backup - This Zyxel Device is a backup Zyxel Device in the virtual router. This Zyxel Device does not use any of the virtual IP addresses. |
Priority | This field is available for a backup Zyxel Device. Type the priority of the backup Zyxel Device. The backup Zyxel Device with the highest value takes over the role of the master Zyxel Device if the master Zyxel Device becomes unavailable. The priority must be between 1 and 254. (The master interface has priority 255.) |
Enable Preemption | This field is available for a backup Zyxel Device. Select this if this Zyxel Device should become the master Zyxel Device if a lower-priority Zyxel Device is the master when this one is enabled. (If the role is master, the Zyxel Device preempts by default.) |
Cluster Settings | |
Cluster ID | Type the cluster ID number. A virtual router consists of a master Zyxel Device and all of its backup Zyxel Devices. If you have multiple Zyxel Device virtual routers on your network, use a different cluster ID for each virtual router. |
Authentication | Select the authentication method the virtual router uses. Every interface in a virtual router must use the same authentication method and password. Choices are: None - this virtual router does not use any authentication method. Text - this virtual router uses a plain text password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. IP AH (MD5) - this virtual router uses an encrypted MD5 password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ‘ \ () ), and it can be up to eight characters long. |
Monitored Interface Summary | This table shows the status of the Device HA settings and status of the Zyxel Device’s interfaces. |
Edit | Select an entry and click this to be able to modify it. |
Activate | To turn on an entry, select it and click Activate. |
Inactivate | To turn off an entry, select it and click Inactivate. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
Interface | This field identifies the interface. At the time of writing, Ethernet and bridge interfaces can be included in the Device HA virtual router. The member interfaces of any bridge interfaces do not display separately. |
Virtual Router IP / Netmask | This is the master Zyxel Device’s (static) IP address and subnet mask for this interface. If a backup takes over for the master, it uses this IP address. These fields are blank if the interface is a DHCP client or has no IP settings. |
Management IP / Netmask | This field displays the interface’s management IP address and subnet mask. You can use this IP address and subnet mask to access the Zyxel Device whether it is in master or backup mode. |
Link Status | This tells whether the monitored interface’s connection is down or up. |
Synchronization | Use synchronization to have a backup Zyxel Device copy the master Zyxel Device’s configuration, certificates, AV signatures, IDP and application patrol signatures, and system protect signatures. Every interface’s management IP address must be in the same subnet as the interface’s IP address (the virtual router IP address). |
Server Address | If this Zyxel Device is set to backup role, enter the IP address or Fully-Qualified Domain Name (FQDN) of the Zyxel Device from which to get updated configuration. Usually, you should enter the IP address or FQDN of a virtual router on a secure network. If this Zyxel Device is set to master role, this field displays the Zyxel Device’s IP addresses and/or Fully-Qualified Domain Names (FQDN) through which Zyxel Devices in backup role can get updated configuration from this Zyxel Device. |
Sync. Now | This displays if the Zyxel Device is set to use Device HA, the Zyxel Device is in the backup role and Device HA is enabled. Click this to copy the specified Zyxel Device’s configuration. |
Server Port | If this Zyxel Device is set to the backup role, enter the port number to use for Secure FTP when synchronizing with the specified master Zyxel Device. If this Zyxel Device is set to master role, this field displays the Zyxel Device’s Secure FTP port number. Click the Configure link if you need to change the FTP port number. Every Zyxel Device in the virtual router must use the same port number. If the master Zyxel Device changes, you have to manually change this port number in the backups. |
Password | Enter the password used for verification during synchronization. Every Zyxel Device in the virtual router must use the same password. If you leave this field blank in the master Zyxel Device, no backup Zyxel Devices can synchronize from it. If you leave this field blank in a backup Zyxel Device, it cannot synchronize from the master Zyxel Device. |
Retype to Confirm | Type the password again here to confirm it. |
Auto Synchronize | You see the following fields when the Zyxel Device is a Backup. Select this to get the updated configuration automatically from the specified Zyxel Device according to the specified Interval. The first synchronization begins after the specified Interval; the Zyxel Device does not synchronize immediately. |
Interval | When you select Auto Synchronize, set how often the Zyxel Device synchronizes with the master. |
Next Sync Time | This appears the next time and date (in hh:mm yyyy-mm-dd format) the Zyxel Device will synchronize with the master. |
Apply | This appears when the Zyxel Device is currently using Device HA. Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Device HA Edit Monitored Interface
The Device HA Monitored Interface Edit screen lets you enable or disable monitoring of an interface and set the interface’s management IP address and subnet mask.
If you configure Device HA settings for an Ethernet interface and later add the Ethernet interface to a bridge, the Zyxel Device retains the interface’s Device HA settings and uses them again if you later remove the interface from the bridge. If the bridge is later deleted or the interface is removed from it, Device HA will recover the interface’s setting.
A bridge interface’s Device HA settings are not retained if you delete the bridge interface.
Configuration > Device HA > Device HA > Edit
Label | Description |
Enable Monitored Interface | Select this to have Device HA monitor the status of this interface’s connection. |
Interface Name | This identifies the interface. Do not connect the bridge interfaces on two Zyxel Devices without Device HA activated on both. Doing so could cause a broadcast storm. Either activate Device HA before connecting the bridge interfaces or disable the bridge interfaces, connect the bridge interfaces, activate Device HA, and finally reactivate the bridge interfaces. |
Virtual Router IP (VRIP) / Subnet Mask | This is the interface’s (static) IP address and subnet mask in the virtual router. Whichever Zyxel Device is currently serving as the master uses this virtual router IP address and subnet mask. These fields are blank if the interface is a DHCP client or has no IP settings. |
Manage IP | Enter the interface’s IP address for management access. You can use this IP address to access the Zyxel Device whether it is the master or a backup. This management IP address should be in the same subnet as the interface IP address. |
Manage IP Subnet Mask | Enter the subnet mask of the interface’s management IP address. |
OK | Click OK to save your changes back to the Zyxel Device. |
Cancel | Click Cancel to exit this screen without saving your changes. |
Device HA with Bridge Interfaces
Here are two ways to avoid a broadcast storm when you connect the bridge interfaces on two Zyxel Devices.
First Option for Connecting the Bridge Interfaces on Two Zyxel Devices
The first way is to activate Device HA before connecting the bridge interfaces as shown in the following example.
1 Make sure the bridge interfaces of the master Zyxel Device (A) and the backup Zyxel Device (B) are not connected.
2 Configure the bridge interface on the master Zyxel Device, set the bridge interface as a monitored interface, and activate Device HA.
3 Configure the bridge interface on the backup Zyxel Device, set the bridge interface as a monitored interface, and activate Device HA.
4 Connect the Zyxel Devices.
Second Option for Connecting the Bridge Interfaces on Two Zyxel Devices
Another option is to disable the bridge interfaces, connect the bridge interfaces, activate Device HA, and finally reactivate the bridge interfaces as shown in the following example.
1 In this case the Zyxel Devices are already connected, but the bridge faces have not been configured yet. Configure a disabled bridge interface on the master Zyxel Device but disable it. Then set the bridge interface as a monitored interface, and activate Device HA.
2 Configure a corresponding disabled bridge interface on the backup Zyxel Device. Then set the bridge interface as a monitored interface, and activate Device HA.
3 Enable the bridge interface on the master Zyxel Device and then on the backup Zyxel Device.
Synchronization
During synchronization, the master Zyxel Device sends the following information to the backup Zyxel Device.
• Startup configuration file (startup-config.conf)
• AV signatures
• IDP and application patrol signatures
• System protect signatures
• Certificates (My Certificates, and Trusted Certificates)
Synchronization does not change the Device HA settings in the backup Zyxel Device.
Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure. The Zyxel Device uses Secure FTP (on a port number you can change) to synchronize, but it is still recommended that the backup Zyxel Device synchronize with a master Zyxel Device on a secure network.
The backup Zyxel Device gets the configuration from the master Zyxel Device. The backup Zyxel Device cannot become the master or be managed while it applies the new configuration. This usually takes two or three minutes or longer depending on the configuration complexity.
The following restrictions apply with active-passive mode.
• The master Zyxel Device must have no inactive monitored interfaces.
• The backup Zyxel Device cannot be the master. This refers to the actual role at the time of synchronization, not the role setting in the configuration screen.
The backup applies the entire configuration if it is different from the backup’s current configuration.
Device HA Status
Use this screen to view Device HA Pro license status and details on the active and passive Zyxel Devices.
Configuration > Device HA > Device HA Status
Label | Description |
Active Device Status | This section displays information on the active Zyxel Device with an activated Device HA Pro license. |
Health Status | This displays Off or On depending on whether Device HA Pro is disabled or enabled on the active Zyxel Device. |
S/N | This displays the serial number of the active Zyxel Device. |
MAC | This displays the hardware MAC address of the active Zyxel Device with an activated Device HA Pro license. |
Synch Status | This displays the synchronization progress, No Progress / Fail / Abort / Success / In Progress, between the active Zyxel Device with an activated Device HA Pro license and the passive Zyxel Device. |
Passive Device Status | This section displays information on the passive Zyxel Device with an activated Device HA Pro license. |
Health Status | This displays Off or On depending on whether Device HA Pro is disabled or enabled on the passive Zyxel Device. |
S/N | This displays the serial number of the passive Zyxel Device. |
MAC | This displays the hardware MAC address of the passive Zyxel Device. |
Synch Status | This displays the synchronization progress, No Progress / Fail / Abort / Success / In Progress, between the passive Zyxel Device with an activated Device HA Pro license and the active Zyxel Device. |
Device HA Pro Service | These are the steps to activate a Device HA Pro license on your active and passive Zyxel Devices. 1. See your Device HA Pro iCard. The card contains two keys. 2. Register your active and passive Zyxel Devices at myZyxel. 3. Activate the license by entering one key on the active Zyxel Device and the other key on the passive Zyxel Device. It doesn’t matter which Zyxel Device is actually active or passive as this is dynamic in Device HA Pro. |
Service Status | This field displays whether a service license is enabled at myZyxel (Activated) or not (Not Activated) or expired (Expired). It displays the remaining Grace Period if your license has Expired. It displays Not Licensed if there isn’t a license to be activated for this service. If you need a license or a trial license has expired, click Buy to buy a new one. If a Standard license has expired, click Renew to extend the license. Then, click Activate to connect with the myZyxel server to activate the new license. |
Apply | Click Apply to save your changes back to the Zyxel Device. |
Reset | Click Reset to return the screen to its last-saved settings. |
Device HA Pro
You need a license to use Device HA Pro. Device HA Pro is easier to deploy than Device HA, is more reliable (no risk of overloading), and faster (Device HA causes a connection break of 10~30 seconds while Device HA Pro just has 1~2 seconds). In addition to configuration file backup in Device HA, device time, TCP sessions (IPv4/IPv6), IPSec VPN sessions, login/logout information, DHCP table, IP/MAC binding table and license status can also be backed up using Device HA Pro.
Active and Passive Devices
Device HA Pro uses a dedicated heartbeat link between an active device (‘master’) and a passive device (‘backup’) for status syncing and backup to the passive device. On the passive device, all ports are disabled except for the port with the heartbeat link.
Zyxel Device A is the active device that is connected to passive device Zyxel Device B via a dedicated link that is used for heartbeat control, configuration synchronization and troubleshooting. All links on Zyxel Device B are down except for the dedicated heartbeat link.
Note: The dedicated heartbeat link port must be the highest-numbered port on each Zyxel Device for Device HA Pro to work.
Failover from the active Zyxel Device to the passive Zyxel Device is activated when:
• A monitored interface is down
• A monitored service (daemon) is down
• The heartbeat link exceeds the failure tolerance.
After failover, the initial active Zyxel Device becomes the passive Zyxel Device after it recovers.
Deploying Device HA Pro
1 Register either the active or passive Zyxel Device with a Device HA Pro license at myZyxel. Check that it’s properly licensed in Licensing > Registration > Service in the active Zyxel Device.
2 Make sure the passive Zyxel Device is offline, then enable Device HA in Device HA > General in the passive Zyxel Device.
3 Must make sure the FTP port in System > FTP (default 21) is the same on both Zyxel Devices. FTP is used for transferring files in the event of failover from active to passive Zyxel Device.
4 Connect the passive Zyxel Device to the active Zyxel Device using the highest-numbered ports on both Zyxel Devices. This is the heartbeat interface. Make sure that this interface is not already configured for other features such as LAG, VLAN, Bridge.
Note: If both Zyxel Devices are turned on at the same time with Device HA enabled, then they may send the heartbeat at the same time. In this case, the Zyxel Device with the bigger MAC address becomes the passive Zyxel Device.
5 When using Device HA Pro to synchronize firmware, the location of the running firmware must be the same in both active and passive Zyxel Devices. For example, if the running firmware is in partition 1 in the active Zyxel Device (standby firmware in partition 2), then the running firmware must also be in partition 1 in the passive Zyxel Device (standby firmware in partition 2).
Configuring Device HA Pro
Configuration > Device HA > Device HA Pro
Label | Description |
Enable Device HA | Select this to turn the Zyxel Device’s Device HA Pro feature on. |
Enable Configuration Provisioning From Active Device. | Select this to have a passive Zyxel Device copy the active Zyxel Device’s configuration, signatures (anti-virus, IDP/application patrol, and system protect), and certificates. Only Zyxel Devices of the same model and firmware version can synchronize. |
Serial Number of Licensed Device for License Synchronization | Type the serial number of the Zyxel Device (active or passive) with the Device HA Pro subscribed license. |
Active Device Management IP | Type the IPv4 address of the highest-numbered port on the active Zyxel Device (the heartbeat dedicated link port). |
Passive Device Management IP | Type the IPv4 address of the highest-numbered port on the passive Zyxel Device (the heartbeat dedicated link port). The active and passive Zyxel Device Management IP addresses must be in the same subnet. |
Subnet Mask | Type the subnet mask for the management IP addresses. |
Password | Type a synchronization password of between 1 and 32 single-byte printable characters. You will be prompted for the password before synchronization takes place. |
Retype to Confirm | Type the exact same synchronization password as typed above. |
Heartbeat Interval | Type the number of seconds (1-10) allowed for absence of a heartbeat signal before a failure of the active Zyxel Device is recorded. |
Heartbeat Lost Tolerance | Type the number of heartbeat failures allowed before failover is activated on the passive Zyxel Device. |
Monitor Interface | Select an interface in Available Interfaces and click the right-arrow button to move it to Monitor Interface to become a Device HA pro monitored interface. To remove a Device HA pro monitored interface, select it in Monitor Interface and click the left-arrow button to move it to Available Interfaces. |
Failover Detection | |
Enable Failover When Interface Failure (Option) | Select this to have the passive Zyxel Device take over when a monitored interface fails. |
Enable Failover When Device Service Fails (Option) | Select this to have the passive Zyxel Device take over when a monitored service daemon on the active Zyxel Device fails. |
Apply & switch to Device HA Pro | Click Apply to save your changes back to the Zyxel Device and change the Zyxel Device to begin using Device HA Pro from Device HA (general) if it isn’t already. You need a Device HA Pro license registered at myZyxel to do this. |
Apply | Click Apply to save your Device HA Pro configurations back to the Zyxel Device but keep the Zyxel Device using Device HA (general). |
Reset | Click Reset to return the screen to its last-saved settings. |
View Log
Use this screen to see Device HA Pro logs on the active and passive Zyxel Devices.
Configuration > Device HA > View Log
Label | Description |
Logs | |
Active Device | This displays Device HA Pro logs on the active Zyxel Device. |
Passive Device | This displays Device HA Pro logs on the passive Zyxel Device. |
Refresh | Click Refresh to update information in this screen. |