Overview
Use High Availability Settings to configure the appliance HA role and the virtual IP address shared by an HA pair. The workflow controls HA enablement, cluster identity, preferred role, VRRP priority, HA handshake password, HA port, private port address, netmask, and virtual IP address.
The same settings are available from the CLI through:
config system ha
show system ha
Typical Uses
Use this topic when two appliances should present a shared management or service address and one unit should take ownership of that virtual IP while the peer is standby.
Typical examples:
Show HA settings: show system ha
Display from config:
config system ha
Enable HA on an active unit:
config system ha enable true name flowdirector device_role active cluster_id 100 device_priority 120 ha_handshake_password HASecret ha_port eth0 private_ip 10.1.1.2 private_netmask 255.255.255.0 virtual_ip 10.1.1.100
Enable HA on a standby unit:
config system ha enable true name flowdirector device_role standby cluster_id 100 device_priority 100 ha_handshake_password HASecret ha_port eth0 private_ip 10.1.1.3 private_netmask 255.255.255.0 virtual_ip 10.1.1.100
Disable HA:
config system ha enable false
Prerequisites
- Confirm that you have administrator permission to change system settings.
- Record the current settings with
show system ha. - Confirm the peer units, HA port, private IP addresses, netmask, and virtual IP address.
- Confirm that the virtual IP address is not already used by another device.
- Configure both units with the same Unique HA Cluster ID, HA Handshaking Password, and Virtual IP Address.
- Use different HA Port Private IP Address values for the two units.
- Use a higher Priority for the preferred active unit.
- Confirm that firewall, switch, VLAN, and routing rules allow the virtual IP address to be reached by clients.
- Use quotes for values that contain spaces.
Workflow
- Open System Settings.
- Choose HA Settings and Role.
- Review Enable, Cluster Name, Device HA Role, Unique HA Cluster ID, Priority, and HA Handshaking Password.
- In Virtual IP Settings, set Port, HA Port Private IP Address, Netmask, and Virtual IP Address.
- Click Apply HA Settings....
- Repeat the configuration on the peer unit with the appropriate role, priority, and private IP address.
- Verify the saved settings with
show system ha.
Expected Behavior
The workflow displays the current HA settings and applies selected changes to the saved HA configuration.
When Enable is disabled, the HA runtime service is stopped and the saved
configuration is retained. You can also update the HA fields while Enable
is disabled; this stages the saved cluster, role, port, private address, and
virtual IP values without starting keepalived or taking ownership of the
virtual IP. When Enable is enabled, the appliance generates the keepalived
runtime configuration and starts the transient ICN.HA service for the static
virtual IP entries.
The unit with the active role and higher priority should become master for the configured virtual IP. If the active unit is unavailable, the standby peer can take over the virtual IP according to the HA protocol state.
In The Web UI
Review HA Settings
- Open System Settings.
- Choose HA Settings and Role. The workflow opens as High Availability Settings.
- Review Enable, Cluster Name, Device HA Role, Unique HA Cluster ID, Priority, HA Handshaking Password, and Virtual IP Settings.
- Apply no changes if you only need to inspect the current settings.
Configure HA On The Preferred Active Unit
- Set Enable.
- Enter Cluster Name.
- Set Device HA Role to Active.
- Enter Unique HA Cluster ID.
- Set Priority higher than the standby peer.
- Enter HA Handshaking Password.
- In Virtual IP Settings, select Port.
- Enter HA Port Private IP Address, Netmask, and Virtual IP Address.
- Click Apply HA Settings....
- Verify the saved settings with
show system ha.
Configure HA On The Standby Unit
- Set Enable.
- Use the same Cluster Name, Unique HA Cluster ID, HA Handshaking Password, and Virtual IP Address as the active unit.
- Set Device HA Role to Standby.
- Set Priority lower than the preferred active unit.
- Enter the standby unit's own HA Port Private IP Address.
- Click Apply HA Settings....
- Verify the saved settings with
show system ha.
Check From The CLI
Use either command below to display the current HA settings:
config system ha
show system ha
The config form without additional fields is display-only. It does not modify
the configuration.
Show one field:
show system ha enable
show system ha ha_port
show system ha virtual_ip
CLI Help Reference
Display the HA fields:
config system ha ?
Expected fields:
<Enter> - Display current settings
enable - Enable HA
name - Cluster name
device_role - Role of the unit in a HA pair, either Active or Standby
cluster_id - HA cluster identifier, the same between active and standby unit
device_priority - Priority of this unit, larger number has higher priority
ha_handshake_password - HA password (8 letters max) used to do HA handshaking
ha_port - Port
private_ip - Port IP address
private_netmask - Port netmask
virtual_ip - Port virtual IP address
Display value choices for the role and port:
config system ha device_role ?
config system ha ha_port ?
The available HA ports depend on the appliance model. On FlowDirector-12K, the
HA port list is limited to eth0.
Change From The CLI
Enable HA on the preferred active unit:
config system ha enable true name flowdirector device_role active cluster_id 100 device_priority 120 ha_handshake_password HASecret ha_port eth0 private_ip 10.1.1.2 private_netmask 255.255.255.0 virtual_ip 10.1.1.100
Enable HA on the standby unit:
config system ha enable true name flowdirector device_role standby cluster_id 100 device_priority 100 ha_handshake_password HASecret ha_port eth0 private_ip 10.1.1.3 private_netmask 255.255.255.0 virtual_ip 10.1.1.100
Change only the device priority:
config system ha device_priority 110
Stage HA values while keeping HA disabled:
config system ha enable false name flowdirector device_role standby cluster_id 100 device_priority 100 ha_handshake_password HASecret ha_port eth0 private_ip 10.1.1.3 private_netmask 255.255.255.0 virtual_ip 10.1.1.100
Disable HA while retaining saved settings:
config system ha enable false
Field Reference
| CLI Field | UI Field | Type Or Values | Notes |
|---|---|---|---|
enable |
Enable | Boolean | Enables or disables HA runtime service. |
name |
Cluster Name | String | Operator-facing cluster name. |
device_role |
Device HA Role | active or standby |
Preferred role of this unit in the HA pair. |
cluster_id |
Unique HA Cluster ID | Integer | VRRP cluster identifier; use the same value on both units. |
device_priority |
Priority (Larger number has higher priority) | Integer from 1 to 255 |
Higher value has higher preference for master role. |
ha_handshake_password |
HA Handshaking Password | Password string | Shared HA password; use the same value on both units. |
ha_port |
Port | HA-capable port | Interface used for the HA virtual IP. |
private_ip |
HA Port Private IP Address | IP address | Unit-specific address for the HA port. |
private_netmask |
Netmask | Netmask | Netmask for the HA port private address. |
virtual_ip |
Virtual IP Address | IP address | Shared address owned by the active unit and taken over by the standby. |
Confirmation And Rollback
Applying the workflow saves the HA configuration only after activation
succeeds. To roll back, reapply the previous values recorded from
show system ha.
To stop HA without deleting the saved role, cluster, and virtual IP values:
config system ha enable false
To return HA to service, reapply the saved values with enable true, or set
enable true after confirming the saved fields are correct.
Notes
- HA activation is backed by keepalived and a transient
ICN.HAservice. - The active and standby units must use the same
cluster_id,ha_handshake_password, andvirtual_ip. - Each unit should use a unique
private_ip. - The preferred active unit should use a higher
device_priority. - HA fields can be updated while
enableisfalse; the values are saved but the runtime HA service is not started. - Use
show system haafter applying changes to confirm the saved values. - Use operating system diagnostics, such as
systemctl status ICN.HA, only when troubleshooting runtime service state.
Troubleshooting
HA Command Reports A Service Failure
Review the workflow log and system service state. The HA workflow should start
the transient ICN.HA service when HA is enabled. If activation fails, verify
that keepalived is installed in the runtime and that the generated HA
configuration is valid.
Virtual IP Is Not Reachable
Verify enable, ha_port, private_ip, private_netmask, and virtual_ip.
Confirm that the virtual IP address is in the expected network, is not used by
another device, and is permitted by switch, VLAN, routing, firewall, and
management ACL rules.
Both Units Try To Become Active
Confirm that both units use the same cluster_id, ha_handshake_password, and
virtual_ip. Confirm that the HA ports can exchange HA protocol traffic and
that there is no network isolation between the peers.
The Standby Unit Does Not Take Over
Verify that HA is enabled on the standby unit, that it uses a lower but valid
device_priority, and that it can reach the HA network. Confirm that the
standby unit uses its own private_ip, not the active unit's private IP.
The HA Port Is Not Listed
Use config system ha ha_port ? to list available ports. Available ports are
model dependent. On FlowDirector-12K, eth0 is the HA port.
Related Tasks
Use Device Management Port Settings to configure the base management address. Use Device Management Access ACL to control which clients can reach management services. Use System Access Methods to configure HTTP, HTTPS, and SSH management access.