Configuring 1+1 Backup by High Availability (HA)


#1

1+1 Backup requires a pair of Peplink Balance devices or MAX 700/HD, operating in active-standby mode. When the master device is down, the slave device takes over and handles all the LAN traffic.

Peplink Balance 210 or above, MAX 700/HD support High Availability (HA) failover between two Balance/MAX devices based on Virtual Router Redundancy Protocol (VRRP). Periodic VRRP advertisement packets are sent out from the master device to VRRP-specific IP multicast addresses. The slave device assumes the master device’s responsibilities when these messages have not been heard from for a pre-defined time interval.

Network Setup Example in NAT mode

Achieve Ultimate Network Uptime with Peplink Balance

In the above example, a HA Group 20 is assigned to the HA pair. The virtual IP address (VIP) 192.168.10.1 is the default gateway for all hosts sitting on the LAN segment, which means for those devices sitting behind the Balance, their default gateway should be set as the VIP. A unique HA group identifier is used for each HA pair subsequently set up on the same LAN. Balance devices have to be on the same subnet to support HA and the same HA group identifier must be used on the HA pair.

Additional Ethernet switches are required to separate each ISP connection so that Master and Slave Balance devices can both be connected. Separate Ethernet switches are recommended in order to prevent a single point of failure, which would otherwise defeat the purpose of the 1+1 backup concept.

In this example, Master Peplink unit will use 192.168.10.2 as its LAN IP, Slave Peplink unit will use 192.168.10.3 as its LAN IP. Both Master and Slave units use the same VIP 192.168.10.1. This VIP 192.168.10.1 will be the default gateway for all hosts sitting on the LAN segment.

HA for Master Configuration

  1. Go to Network> Misc. Settings > High Availability of the Master unit. Select Enable.
  2. Enter the following and then click Save:
  • Group Number: (use the same number for HA pair)
  • Preferred Role: (select master or slave)
  • Resume Master Role Upon Recovery: (check the box if you want the master unit recover its rule once it is recovered from the failure.)
  • Virtual IP: (select an unused IP)
  1. (Note: VIP and LAN Administration IP have to be from the same network.)
  2. Click Apply Changes to activate settings.

Network Configuration Example in NAT mode

HA for Slave Configuration – Configuration Sync.

When Configuration Sync. is enabled, the Slave unit will obtain and apply the configuration changes of the master unit every 5 minutes.

  1. Click and choose Slave as the Preferred Role.
  2. Check the box to enable the Configuration Sync. feature.
  3. Enter the serial number of the master unit.
  4. Before apply changes, it is required to change the LAN IP address and set it as a different one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP address.
  5. Click Save and then Apply Changes to activate settings.
  6. Once the Configuration Sync succeeds, you will find the “successful” message in the event log of the slave unit.
    NOTE: Once the slave unit is configured to automatically sync configuration from master unit, the web admin of slave unit will be locked. Changes can only be made after you have disabled the Configuration Sync function.

HA for Slave Configuration – Manual
Alternatively, you may also configure the slave unit manually.

  1. Go to System > Configuration of the MASTER unit. Click Download under Download Active Configurationsand save the configuration file for the Slave unit.
  2. Go to System > Configuration of the SLAVE unit. Choose the configuration file exported in step 1 under theUpload Configurations from High Availability Pair and click Upload.
  3. Before applying changes, it is required to change the LAN IP address and set it as a different one from Master unit. Go to Network > LAN of the Slave unit and change LAN IP address.
  4. Go to Network > High Availability, change the Preferred Role of Slave Balance from Master to Slave.
  5. Click Save and then Apply Changes to activate settings.
    The failover takes place with a typical recovery time of 10-15 seconds. After the Slave unit changed its role to Master, all WAN connections will be re-established again.

NOTE:

Two Balance units should be connected to the Internet in the same mode. For example, they should be both in NAT mode or Drop-in mode.

In NAT mode, the VIP should be set as the default gateway for all hosts sitting on the LAN segment. For example, default gateway of a firewall sitting behind the Balance is needed to be set as the VIP.

Configuration for 1+1 Backup in Drop-in mode

In Drop-in mode, configuration is similar to in NAT mode. The only difference is that there are no other configuration of hosts in LAN segment needed to be set. Please refer to the following illustrations for the setup example.


Network Configuration Example in Drop-in mode

Slave Configuration Sync. Example in Drop-in mode


Peplink Balance 380 HA
Help me with my topology?
Balance Failover
Can set Speed Fusion VPN route Internet traffic and broadcast remote LAN network to OSPF?
Site to site VPN in front of firewall
Peplink load balancer Multiple WAN access
Help me with my topology?
What's the time of configuration synchronization between the matser and the slave units
Balance UI Deep Dive - Network Tab
#2

Hi, may I use 2 different devices in HA mode, like 3 WAN Balance 580 as master + 3 WAN Balance 310 as slave?


#3

Hi countryman:

No, the HA/VRRP pair does need to the the same model of Peplink.


#4

And what is about hardware version of same models? Should it also be the same?


#5

Hi countryman:

For best performance, yes.


#6

Do the models have to be the same if I manually keep the settings the same on each? We have a 305 (hw2) and a 580 and want to set up the 305 as a HA pair of the 580. I understand the auto configure of the slave would not work due to the model difference but can I manually configure the 305 to be a copy of the 580 (realizing every change I make to the 580 must be duplicated on the 305)?


#7

I would like the add a new peplink to my existing infra for high availability. On the existing peplink, there were already tunnels created with my different clients. The question is; if ever the the slave peplink is added, do I still need to coordinate with my clients to establish new tunnels from this back-up device?


#8

Peplink “Master” and “Slave” (active/passive) have same public IP address, hence no need to have separate IPSEC profile for the slave device.


#9

Hi,
I have 2 Peplink Balance 1350, HA with NAT mode. VIP IP 10.10.127.1
Here is master :10.10.127.2

and slave :10.10.127.3

When I turn off Master (10.10.127.2) , Slaver (10.10.127.3) come Master. It ok.
But when Slaver is Master , no tab to config or setting as below. So My question is in this case, how to change config ? (Old master 10.10.127.2 is turn off)


#10

When HA configuration sync is enabled, the configuration will be sync from master to slave. So you shouldn’t need to change any configuration for the slave device.

For your case, you can actually disable the configuration sync for the slave device. This should allow you to change setting for the slave device.


#11

Hi,

Can we adjust the interval of time for master check?
If we encounter sensible applications (banking mainly), we will need to make sure we are under their keep-alive timeout ( ~3* interval < keepalive) .

Kr,


#12

The 3 seconds is the tested value in most of the environments that should working fine for the slave unit become active. If the value is too low/sensitive it may cause false alarm for the fail-over.


#13

ok and what about priority ? Is it correct the slave is set at fix value of 200 ?


#15

H Sitloongs,
Thank for your help. I note that

but onething i confuse when you disable sync on Slaver ( now is Master ) and primary Master( who down before) up back again, what happen ?


#16

Can you provide detail info what you want to achieve here ?

Configuration sync is only a setting to control whether master configuration will be sync to slave and nothing related to the HA fail-over. If configuration sync is disabled, then you need to manage both devices configuration manually.


#17

Hi Sitloongs,

I see disable sync only appear on Slaver . Nothing confuse now…

Thank for your help.


#18

Are those additional switches required when both ISPs have at least 2 LAN ports?
We are planning to use one ISP with optical modem (2 LAN ports) and Balance 30 LTE as the second WAN. Should we still use switches between routers and WANs or can we plug them into ISP directly?

I have modified your graph a little. Let’s say that ISP2 is Balance 30 and HA pair is Balance 305:
33b29c5942ae4728258dc0698fcdaf6458f76be4


#19

Is there anyway in the GUI or CLI to make the slave active? I have had a few times now where the master has gone offline but slave is still reachable but does not take over active role. On other devices I would change the priority of the slave device so it takes over the role.


#20

@BrianS Please open a support ticket here for support team to check. This is not the expected behavior.

Please make sure you provide the following info in the support ticket to allow support team to further check.

  1. Diagnostic report for both Master and Slave devices - Possible please include the diagnostic report that downloaded when you found the issue.

  2. Simple physical connection diagram for the HA setup.

  3. RA is enabled for the devices.

Last but not least, if the device is running old firmware, please upgrade to latest firmware to avoid troubleshoot any old firmware related issue.


#21

Hi, I have a question regarding configuration on WAN interfaces and also inbound access services.
Do I need additional IP addresses? I mean the IP address on the WAN interface of the first box will be the same as or different from the WAN interface on the second box?