HA Setup for automatic failover

For HA to work you need to have all interfaces on both nodes connected. That is both nodes need to be connected to the Internal network using the same physical interface and also both nodes need to connect to the External network on the same physical interface. UTM should normally have virtual MAC's and should therefore normally not break the connection. You didn't accidentally connect everything together in one switch did you? Internal and external network need to stay physically separated from each other.

For the internal part you can simply connect both UTM's to your normal internal network switch. Maybe you ISP router has multiple interfaces too (in case it's really a router) so you can also simply connect both UTM's external interfaces to it. If your ISP router only has one interface then you will need a simple switch in between your UTM's and the ISP router.

Did you configure a HA interface on your UTM?

This is more or less what I have set up. I used a small managed dlink switch, but can try again with an unmanaged switch.

To test at first, I had the switch connected to the master UTMs external interface and connected out to the same port on the other UTM, and to the ISP router. The internal interface was connected to the internal network (not through the same switch). In this configuration, I could access the UTM, but could not ping out from the UTM, or access the Internet from internal clients. Unfortunately, the router is in another room and only one connection to it. I will try with the unmanaged switch.

It can be done on the one switch if it is a managed switch. Simply create a block of 3 on the same vlan eg port 1, 2 & 3 = vlan 10 (your internal network), port 4, 5 & 6 = vlan 20 (your external network)

Plug both internal interfaces into vlan10 and both utm external faces into vlan20 . Plug you single connections into the appropriate spare port eg single external connection into the spare port on vlan 20

The UTM has to have the HA ports connected to each other which can be done with a short cat5e normal cable.

As long as your HA is configured, that will work.

Our HA UTM's actually go into stacked switches with one connection going into each switch so if the switch fails, the other will take over. Obviously with a single connection eg to the internet, there will be some form of manual switchover if the switch that goes has the single internet connection on it. For this reason, we mirror the port configuration so that the user simply plugs into the exact same port on the second switch.

Exactly what I was trying to set up. The switch is a Dlink DSG-1100-08. Ports 1-3 are the external vlan, and 5-8 are internal vlan, (with 7 & 8 being aggregated and connecting back to stacked switches).

I think I'm going so simplify this a bit for myself, ignore the internal vlan on the dlink, and plug the HA UTMs both into our internal switches. I will have to use the HA switch for the external connection with the understanding that if the switch fails, I will need to plug directly back into the UTM.

All of that is fine, except for the fact that when I tried to put the HA switch in between the UTMs and the router, I did not have a connection, leading to my first question about ARP. I'll give it another shot.

It should work even if you just use an external connection.

When ours switches over, we lose about 2 pings. If you run a PPPoE connection, it will drop for longer as that type of connection needs to re authenticate.

I normally set the same UTM to master. I then test by pulling one of the cables on the master and you then see the display change etc. Put the cable back in and it changes back a few minutes later.

Some of our connections are a little bit more important than others so we disable HA on those interfaces to stop the UTM switching over.

Maybe a coincidence, but yesterday our ISP placed a new router which currently only has one connection. I first put a small unmanaged gigabit switch in between the ISP and our 2 UTM's just to find that the bandwidth completely collapsed (should be about 100 Mbps but actual speed was at once only about 20-25 Mbps).

I then configured 3 ports into a new VLAN on our Cisco stack to rule out the small unmanaged switch, but that also drops our bandwidth and it does yellow-orange flash one of the ports on the Cisco (I think, but am not sure it was the port of the Slave unit). I have now just connected only the master switch (leaving the HA-system in an UNLINKED state) but I do have my complete bandwidth back. ISP should now solve this problem for me and make a second port available on the router.

"Some of our connections are a little bit more important than others so we disable HA on those interfaces to stop the UTM switching over."

That's not possible, so maybe you're thinking of something else???

Cheers - Bob

Hi Bob,

interfaces & routing > hardware > edit interface > un-tick "Ha Monitoring"

Louis

I see now what you meant Louis.  I thought you were saying that there was a selection to prevent an interface from switching over in HA.  You meant that you un-ticked the selection for the less-important interfaces so a failure on one of them didn't cause a fail over to the Standby unit.  Good idea.  I hadn't thought of using that for anything other than a lab or management connection.

Cheers - Bob

Yes, that's it Bob. We have an interface that is critical and has VoIP traveling down it. We also have a another connection that is ADSL and we didn't want that interface causing the switch over to occur as it's not a mission critical interface and we can afford it to drop so we un-ticked this.