Configure High Availability for Airwall Gateways (v2.2-v2.2.5)

Before You Begin

Before you configure a High-availability (HA) pair, you must:

Have a Conductor installed
Configure and connect the physical or virtual v2.2 to v2.2.5 Airwall Gateways you wish to configure for high availability. You need two physical or two virtual Airwall Gateways. See Set up physical Airwall Gateways for more information.

Note: Cloud Airwall Gateways do not support HA at this time.

To create a high-availability Airwall Gateway pairing

To configure High-availability Airwall Gateways, you need to:

For virtual Airwall Gateways only – Add an ethernet port
Connect the Airwall Gateways
Pair the Airwall Gateways for High Availability
Make sure the Overlay Port Group settings match

These steps are described in more detail below.

1 For Virtual Airwall Gateways only – Add an ethernet port

For virtual Airwall Gateways, you need to add an ethernet port for the heartbeat the high-availability Airwall Gateways use to communicate status. See your Hypervisor help for instructions on adding a network port.

2 Connect the Airwall Gateways

You can configure a pair of physical or virtual Airwall Gateways as a high-availability pair.

Select the primary Airwall Gateway and select or add an HA Port Group
1. At the top right of the Ports tab, select Edit Settings.
2. Select an available HA Port Group, or, to create one, go to Ports and select an available port, and create an HA Port Group. The port group sets up a virtual connection between the Airwall Gateways you’re configuring as an HA pair. A virtual Airwall Gateway is expandable up to six (6) ports. You must configure one port for HA heartbeats with the HA role.
Repeat step 1 with the secondary Airwall Gateway.
If you are using physical Airwall Gateways, physically connect the primary to the secondary using an ethernet cable between the dedicated HA ethernet ports on both Airwall Gateways with an ethernet cable (so you have both a port and a physical connection between the two Airwall Gateways).
If you are using virtual Airwall Gateways, connect the port created above to each other in the virtual network. See your Hypervisor instruction.

Next, you will pair the Airwall Gateways.

3 Pair the Airwall Gateways for High Availability

Select the HA tab and click Edit Settings.
Under Select a high-availability backup Airwall Gateway, select the secondary Airwall Gateway.
Under IP address, enter an available IP address to act as the shared HA IP address for the High Availability pair (see note below). You may need to select a Primary port group as well.
Click Update Settings.
If you want to swap the primary Airwall Gateway with the secondary one, go to the HA tab, and by Role, select Swap Roles.

The shared High Availability (HA) IP address is a virtual IP address that moves between the primary and secondary Airwall Gateways, so that remote Airwall Gateways have a consistent destination IP address for their connections to the HA Pair. The shared HA IP address must be a static IP address assigned for this specific purpose.

4 Make sure the Overlay Port Group settings match

Check the Overlay Port Group of your primary Airwall Gateway for an IP address or any other configured settings (such as DHCP, source NAT, etc).
If there are settings there, copy them to the standby Airwall Gateway's Overlay Port group.

Test the High-Availability Pair

In either HA paired Airwall Gateway, on the HA tab under Status, notice the screens are trying to talk to each other. The primary status is OK (tunneling) and the secondary status is OK (monitoring).

You can also see that the Airwall Gateways are paired on the Dashboard.

Remove a High-Availability Pairing

You can remove an HA pairing from the primary Airwall Gateway.

In the primary Airwall Gateway, on the HA tab, click Edit Settings.
Click Remove HA pairing.

When an HA Pair is removed, the primary Airwall Gateway stays in the Overlay Network and the secondary Airwall Gateway is removed from the Overlay network.