Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Cloud Edge High Availability (HA) feature

    • Updated:
    • 17 Mar 2020
    • Product/Version:
    • Cloud Edge All
    • Platform:
Summary

With the new Cloud Edge High Availability feature, you can configure two registered gateways as an HA Group to provide high availability. If one gateway is down, then the other gateway will take over and ensure that the network traffic is not down. An HA Group can increase network traffic efficiency in addition to providing redundancy when a fatal error is encountered.

Details
Public

Below is an HA related configuration example:

 PrimarySecondary
VRRP Group: LAN1
Virtual IP: 172.16.1.1/25
LAN1: 172.16.1.2/25LAN1: 172.16.1.2/25
LAN1 DHCP: on
Gateway: 172.16.1.1
Range: 172.16.1.100-199
LAN1 DHCP: on
Gateway: 172.16.1.1
Range: 172.16.1.100-199
Heartbeat interfaceLAN2: 192.168.102.1/25LAN2: 192.168.102.2/25

Please follow these steps to access the network using HA:

  1. Configure client with DHCP to access network.
    1. Configure VRRP interface DHCP service on Cloud Edge Cloud Console or on-premise console.

       
      • The DHCP Server Gateway should be filled with virtual IP address.
      • When LAN1 is used as DHCP Server, you need to configure DHCP service on Primary and Secondary box respectively on-premise console. The LAN1 DHCP configurations should be the same as well.
       
    2. Configure client network settings to obtain IP address through DHCP.
  2. Configure client with Static IP address setting to access network.
    1. Configure client IP/mask in the same subnet with the VRRP interface.
    2. Configure client gateway with virtual IP address.

You can create an HA group from Cloud Edge Cloud Console. An HA group consists of two Cloud Edge gateways. The gateways can be registered or unregistered. A gateway can belong to only one HA Group.

Before creating an HA, ensure the following:

  • Gateways are deployed in routing mode.
  • Both gateways are the same hardware model. Currently, only CE50G2 supports HA function.
  • Both gateways have be same software version.
  • Timezone should be same.
  • System time error should be less than 5 minutes.

Please note that in the factory default configuration, all boxes have the same interface configurations. You need to change the interface settings before HA group construction.

 

Follow these steps to create HA:

  1. Configure the VRRP interfaces on both boxes. They should be in the same subnet.
  2. Configure the heartbeat interface of both boxes. They should be in the same subnet. Please note that only LAN2 and LAN3 are used for heartbeat interface.
  3. Connect an ethernet cable directly between the heartbeat interfaces for each gateway that will be a member of the HA group.You must use the same interface on each gateway (LAN2-to-LAN2 or LAN3-to-LAN3).
  4. Navigate to Gateway > High Availability Management.
  5. Click Create HA Group. The Create HA Group wizard opens.
  6. In the Create HA Group and Choose Operation Mode page, specify the following details:
    OptionsDescription
    HA group nameType a name to identify this HA group
    Operation modeCurrent only supports Active-Passive mode
    Authentication methodSelect one of the following: None/Simple
    EnableSelect one of the following: On/Off

  7. Click Next.
  8. In the Configure Primary Device page, configure settings for the Cloud Edge gateway that will be the primary gateway in the HA group.
    OptionsDescription
    Primary HA deviceSelect the gateway from the drop-down list that you want to designate as the HA primary gateway. Only devices that support an HA group configuration are listed.
    RoleA read-only field set to Primary, which is the role assigned to this gateway
    PriorityEnter a priority number for this gateway (1-253). Default is 253. The gateway with the higher the priority is active.
    Heartbeat interfaceSelect the L3 interface from the drop-down that Cloud Edge uses for communicating with the peer HA gateway. For Cloud Edge 50G2 gateway, only eth2 or eth3 can be selected as the heartbeat interface.
    Heartbeat interface IP/NetmaskIf not already configured, you must enter an IPv4 address and netmask for the heartbeat interface.

  9. Click Next.
  10. In the Configure Secondary Device page, configure settings for the Cloud Edge gateway that will be the secondary gateway in the HA group.
    OptionsDescription
    Secondary HA deviceSelect the gateway from the drop-down list that you want to designate as the HA primary gateway.
    Only devices that support an HA group configuration are listed.
    RoleA read-only field set to Secondary, which is the role assigned to this gateway
    PriorityEnter a priority number for this gateway (1-253). Default is 100.
    Heartbeat interfaceThe L3 interface is pre-selected from the drop-down and is the same interface selected for the primary HA device.
    Cloud Edge uses this interface for communicating with the peer HA gateway.
    Heartbeat interface IP/NetmaskIf not already configured, you must enter an IPv4 address and netmask for the heartbeat interface.
    It must be on the same subnet as the heartbeat IP address configured for the primary.

  11. Click Next.
  12. In the Configure Takeover When Failure Occurs page, configure settings for the Cloud Edge HA group when a failure happens and takeover occurs.
    OptionsDescription
    PreemptionSelect one of the following:
    • On (default): Primary gateway will return to active role after it recovers from a previous failure.
    • Off: Primary gateway does not automatically resume the active role after recovery from a failure.

    User must perform manual fail-over.

    Monitor interfaceSelect one or more interfaces to monitor. Cloud Edge monitors only physical interfaces.
    It is recommended to monitor all physical interfaces with traffic.
    Monitor IP/FQDNAt most two IP addresses or FQDNs can be used as monitor hosts.
    Takeover triggersYou must enter values for the following:
    • Heartbeat failure times: Indicates the number of heartbeat failures before the passive gateway takes over from the failed gateway (default is 3, range is 3-6)
    • Ping failure times: Indicates the number of ping failures before the passive gateway takes over from the failed gateway (default is 3, range is 3-6)

  13. In the Configure Virtual Router Redundancy Protocol (VRRP) Group page, add one or more VRRP groups.
    1. Click Add.
    2. Select an interface and enter the virtual IPv4 Address and netmask for the VRRP group.The interface can be either a L3 physical interface or a static L3 VLAN interface. Only both boxes are in registered state, then L3 VLAN interface can be selected.
    3. Save the VRRP group.

  14. Click Next. The summary page opens.

  15. Review the summary of the HA group settings.
  16. Click Save.
ActionsDescription

Update HA configurations. Note that HA group name, Primary HA device, Secondary HA device, Heartbeat interface, and Heartbeat interface IP/Netmask are not allowed to be edited.

Force trigger HA role switch. After performing this action, active switches to standby and standby switches to active.

Enable HA group. HA will start to work if you perform this action.

Disable HA group. HA will not work if you perform this action.

Tear down HA group and remove it from Cloud Edge Cloud Console.
 
After removing or disabling the HA group, the network will be down for the devices which access to network through HA. You need to reconfigure the network settings for those devices once removed or HA group disabled to ensure network access.
 

Follow these steps to manually update HA group firmware version:

  1. Navigate to Gateways > Gateway Management > (gateway name of any box in HA group) > Updates.
  2. Check the available firmware packages, and click Update.

After performing the update, the HA group will start firmware update process. The Standby will first update the firmware version then the Active will do update automatically.

In order to rollback the firmware version for HA group, you need to go to Cloud Edge on-premise console on both boxes, and manually rollback the firmware version of each box.

When replacing a gateway in HA group, please ensure the following:

  • The new Cloud Edge gateway should have same hardware model and software version with gateways in HA group.
  • The new Cloud Edge gateway should have same network configuration with the old gateway.

Follow these steps to perform the replacement:

  1. Move the Heartbeat interface ethernet cable from the old gateway to the new gateway.
  2. Go to CECC web console and navigate to Gateways. Select Replace.
  3. Specify the new Cloud Edge gateway serial number.
  4. Click Replace.
  5. Remove the old Cloud Edge gateway from the network.
  6. Add the new Cloud Edge gateway to the network.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000246709
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.