High Availability
1161
SonicOS 5.8.1 Administrator Guide
the newly-Active appliance keeps the dynamic routes it had previously learned in its route table.
During this time, the newly-Active appliance relearns the dynamic routes in the network. When
the Dynamic Route Hold-Down Time duration expires, it deletes the old routes and
implements the new routes it has learned from RIP or OSPF. The default value is 45 seconds.
In large or complex networks, a larger value may improve network stability during a failover.
Note The Dynamic Route Hold-Down Time setting is displayed only when the Advanced
Routing option is selected on the Network > Routing page.
Step 16 Select the Include Certificates/Keys checkbox to have the appliances synchronize all
certificates and keys.
Step 17 You do not need to click Synchronize Settings at this time, because all settings will be
automatically synchronized to the Idle unit when you click Accept after completing HA
configuration. To synchronize all settings on the Active unit to the Idle unit immediately, click
Synchronize Settings. The Idle unit will reboot.
Step 18 Click Synchronize Firmware if you previously uploaded new firmware to your Primary unit
while the Backup unit was offline, and it is now online and ready to upgrade to the new firmware.
Synchronize Firmware is typically used after taking your Backup appliance offline while you
test a new firmware version on the Primary unit before upgrading both units to it.
Step 19 When finished with all High Availability configuration, click Accept. All settings will be
synchronized to the Idle unit automatically.
If you enabled Active/Active UTM, the Network > Interfaces p
age will show that the selected
interface for HA Data Interface now belongs to the HA Data-Link zone.
High Availability > Monitoring
On the High Availability > Monitoring page, you can configure both physical and logical
interface monitoring. By enabling physical interface monitoring, you enable link detection for
the designated HA interfaces. The link is sensed at the physical layer to determine link viability.
Logical monitoring involves configuring the SonicWALL to monitor a reliable device on one or
more of the connected networks. Failure to periodically communicate with the device by the
Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can
connect to the device, no action will be taken.
The Primary and Backup IP addresses configured on this page are used for multiple purposes:
• As independent management addresses for each unit (supported on all physical interfaces)
• To allow synchronization of licenses between the Idle unit and the SonicWALL licensing
server
• As the source IP addresses for the probe pings sent out during logical monitoring
Configuring unique management IP addresses for both unit
s in the HA Pair allows you to log in
to each unit independently for management purposes. Note that non-management traffic is
ignored if it is sent to one of these IP addresses. The Primary and Backup SonicWALL security
appliances’ unique LAN IP addresses cannot act as an active gateway; all systems connected
to the internal LAN will need to use the virtual LAN IP address as their gateway.
The management IP address of the Backup/Idle unit is used to allow license synchronization
with the SonicWALL licensing server, which handles licensing on a per-appliance basis (not
per-HA Pair). Even if the Backup unit was already registered on MySonicWALL before creating
the HA association, you must use the link on the System > Licenses page to connect to the
SonicWALL server while accessing the Backup appliance through its management IP address.