This article explains how a High Availability (HA) firewall pair should interact between each other and also how to perform basic troubleshooting via logs.
Current HA Configuration:
Screenshot below shows a healthy HA environment with Primary NGFW status showing as Active and secondary NGFW status as Standby. Primary and secondary Stateful HA is licensed and settings are synchronized.
Export the current firewall settings by navigating to System | Settings and then click on the export settings button, which will be needed in the event of replacing a Primary SonicWall NGFW later in this article.
HA Mode is Active / Standby as shown in the screenshot below:
Screenshot below showing Primary and secondary Serial numbers, only last three characters are shown:
Screenshot below show HA Control and Data Interfaces:
HA Association: Screenshot below shows existing HA association on MySonicWall portal:
Primary SonicWall NGFW is showing as NONE, see screenshot below, and needs to be replaced with a new SonicWall NGFW, and at present only secondary SonicWall NGFW is active. This scenario is being used to demonstrate how to replace a Primary SonicWall NGFW in an existing HA pair as a result of RMA procedure.
NOTE: Before starting the replacement procedure, plan a maintenance window and notify the affected parties about the service disruption and expected duration. Replacement of primary shouldn't take more than few minutes while new appliance take over the control and both NGFWs may reboots after new appliance has been introduced into HA.
Replacement of Primary SonicWall NGFW:
Disable HA on Secondary Active NGFW: In order to replace the Primary Firewall, disable the HA on the currently active (Secondary) SonicWall NGFW, as shown in the screenshots below, and remove the existing Primary SonicWall NGFW and HA control and data link cables.
HA has now been disabled on the Secondary SonicWall NGFW, and all HA related links showing none status, see screenshot below:
Prepare New Primary NGFW: unpack, power up, and prepare the new Primary SonicWall NGFW by uploading the same firmware and then registering it with the License manager via an active Internet connection.
NOTE: Connect the new primary SonicWall NGFW with an Internet connection by configuring one of its WAN interfaces and accessing it via MGMT interface by connecting a PC/Laptop (with static IP: 192.168.1.251/24) directly to its MGMT (management) interface using an Ethernet Patch cable.
Log in to the new NGFW management interface by typing 192.168.1.254 in the web browser on the PC being used and upload same Firmware on New Primary SonicWall NGFW, as shown in the screenshot below:
To upload Firmware: Download it from MySonicWall web portal and click here to read about how to upload a Firmware.
Register New Primary NGFW: Register the new Primary NGFW by clicking the register link from the right hand side of System > Status page and enter MySonicWall username password details of the account where existing NGFW was registered, once redirected to the license management page, as shown in the Screenshots below:
Screenshot below shows that the new Primary SonicWall NGFW has now been registered with License manager and at this point it will have all the services transferred from existing Primary SonicWall NGFW as a result of RMA.
Screenshot below shows the license information of the new NGFW after its been successfully registered, check all the license information which should have all the license which were present on the previous Primary NGFW:
Logon to MySonicWall: Log in to the MySonicWall web portal and check the new Primary SonicWall NGFW HA associations after successfully registering the New NGFW in the previous step.
NOTE: Please allow some time for the device status to show green as this could take some time to display the active Green icon next to Trusted, as shown below:
Check HA association:
Screenshot below shows searching old Primary NGFW with its Serial number didn't return any results under products on the MySonicWall web portal, because its services have been transferred to the new Primary NGFW and old NGFW has been de-registered:
Search for the New NGFW serial number on MySonicWall web portal and check it's HA associations. Screenshot below showing new Primary NGFW listed under Products on MySonicWall web portal:
Click on the new NGFW serial as showing with the pointing arrow above and then scroll down to the Associated section and then click on the HA Secondary to confirm the HA association, as shown below:
NOTE: If the HA association is not showing correctly then remove the existing association and create new association, click here for more information about creating HA associations. In the above case association was also updated as result of RMA service transfer. Once the association has been checked on MySonicWall web portal and showing correct NGFW serial numbers proceed to the next step. If HA association is not updating please contact Support on for further assistance.
Import Settings on New Primary NGFW and verify serial numbers and HA configuration:
Log back into new Primary NGFW via its MGMT interface and Import the preferences which were exported from the Primary Active firewall at the start of this article, for example screenshot below showing preferences being imported into the new firewall:
After New NGFW has been rebooted successfully with HA preferences, navigate to High Availability as shown below:
NOTE: This Firewall is currently active and secondary status is none because this firewall is not yet placed in the HA.
Navigate to High Availability | Settings | and click on General Tab to confirm the HA Mode settings, as shown below:
Navigate to High Availability | Settings | and click on HA Devices tab to confirm the serial numbers of HA Devices, as show below:
Navigate to High Availability | Settings | and click on HA Interfaces tab to confirm the HA interfaces, as show below:
CAUTION: The HA configuration after importing the settings, shouldn't require any manual change unless the changes were made after exporting the settings. It is recommended to connect the HA primary and secondary NGFWs with Serial cables and save their console outputs in separate files for further analysis in the event of unforeseen incident.
Place New Primary NGFW in the HA: This new Primary NGFW is now ready to be moved into the HA by connecting it's Interfaces per the HA setup. Once this appliance, which is currently showing as Primary active, will be moved into the HA, it will recognize the Secondary unit on which the HA was disabled under Step 1 above, and then it will sync up with the secondary NGFW and should take control of the HA as active Firewall.
CAUTION: There will be a disruption while the new NGFW will take control and could trigger reboots on both HA devices, so please plan a downtime accordingly. New NGFW has now been moved into the HA and it's syncing with secondary NGFW and showing active up time 0 Days 00:10:39 and HA interfaces are connected, as show below:
The screen below shows Active Up Time 0 Days 00:12:31 and showing Healthy HA environment, so in the lab it took approximately less than 2 minutes for Primary NGFW device to take control and stabilize the HA, this could be different on actual production environment. Check all the related licenses information and HA interfaces on the HA status as shown below:
New Primary SonicWall NGFW has now successfully been replaced and showing its status as Active in the HA. Console outputs below also showing the HA activity during the above New Primary replacement: Primary Console Output:
04/28 01:34:57.064: HA Primary [A] : Got found peer during active state 04/28 01:34:57.064: HA Primary [A] : Sending SHAP_CM_GET_LOGIN command 04/28 01:34:57.112: HA Primary [A] : Got SHAP_CM_GET_LOGIN ACK 04/28 01:34:57.112: HA Primary [A] : Synced GET_LOGIN data 04/28 01:34:57.240: HA Primary [A] : Stateful Synchronization ready 04/28 01:34:57.240: HA Primary [A] : Starting Stateful Synchronization 04/28 01:34:57.912: HA Primary [A] : Completed Stateful Synchronization
Secondary Console Output: 04/28 01:34:55.240: HA Secondary [I] : Peer is already Active [while in SHA Election state] 04/28 01:34:55.240: HA Secondary [I] : Firewall has become Standby 04/28 01:34:56.240: HA Secondary [I] : In STANDBY state - Peer was in NONE state 04/28 01:34:56.256: HA Secondary [I] : Got Find peer during idle state 04/28 01:34:56.288: HA Secondary [I] : Got SHAP_CM_GET_LOGIN during STANDBY state 04/28 01:34:56.288: HA Secondary [I] : Sending SHAP_CM_GET_LOGIN ACK 04/28 01:34:56.336: HA Secondary [I] : Flushing Stateful Synchronization information
NOTE: the above logs are only showing the final stages of HA activity, former information has been truncated.
Log in to the backup NGFW using its backup management IP and check its HA status, as shown below:
This concludes the replacement of a New Primary SonicWall NGFW into a HA.