How To Configure High Availability (HA) in

Cyberoam

How To Configure High Availability (HA) in Cyberoam

Applicable Version: 10.00 onwards

Overview
High Availability (HA) is a clustering technology which is used to maintain uninterrupted services in
the event of power, hardware or software failures. Cyberoam appliances can be configured in ActiveActive or Active-Passive HA modes. The Appliances - Primary and Auxiliary Appliance, are physically
connected over a dedicated HA link port.
In Active-Active mode, both Primary Appliance and Auxiliary Appliance process traffic while the
primary unit is in charge of balancing the traffic. Decision of load balancing is taken by the Primary
Appliance. Auxiliary Appliance can take over only in case of a primary unit failure.
In Active-Passive mode, only the Primary Appliance processes traffic while Auxiliary Appliance
remains in stand-by mode, ready to take over if the Primary Appliance failure occurs.
Note:
HA can also be configured when Cyberoam Appliances are deployed in Mixed Mode.

Scenario
Configure HA in Cyberoam.

Prerequisite

Both the appliances in the HA cluster i.e. Primary Appliance and Auxiliary Appliance should be of
the same model.
Both the member appliances must be registered
Both the appliances must have same number of interfaces (except Cyberoam XP Appliances in
which Flexi Ports are installed in one or both the appliances).
Both the appliances must have the same firmware version installed on it.

How To Configure High Availability (HA) in Cyberoam

Same subscription modules should be enabled on both the appliances.

Cables to all the monitored ports on both the appliances must be connected. It is recommended
to connect the dedicated HA link port of both the appliances with crossover cable.
On both the appliances, the Dedicated HA link port must be the member of DMZ zone only and
must have a unique IP Address.
Appliance Access over SSH on DMZ Zone should be enabled for both the appliances, refer Step
1.
DHCP, PPPoE, WWAN and WLAN configuration must be disabled before HA configuration. See
HA Behaviour for details.

Configuration
You must be logged on to the Web Admin Console as an administrator with Read-Write permission
for relevant feature(s).

Step 1: Enable SSH

Go to System > Administration > Appliance Access, under Admin Services, click to enable SSH
for DMZ zone.

Enable SSH on the peer appliance similarly.

Step 2: Configure HA (Primary Appliance)

Go to System > HA > HA and configure HA parameters as shown in the table below.
Parameter

Value

Description

HA Configuration Mode

Active-Active

Dedicated HA Link Port

PortC

Peer HA link IP

10.10.2.42

Peer Administration
Port

PortA

Select HA Configuration mode for

cluster.
Available Options:
Active-Active
Active-Passive
Select the port to be used as dedicated
HA link port. HA link port is the port of
the Auxiliary Appliance which is to be
used for HA.
Specify IP Address configured on the
HA link port of the peer appliance
Specify Administration Port for Auxiliary
or Peer Appliance.

How To Configure High Availability (HA) in Cyberoam

172.16.16.100

Specify Administration IP Address for

Auxiliary Appliance.

Peer Administration IP

Select Ports to be
monitored

PortA, PortB

With this IP Address, the Admin Console

of Auxiliary Appliance can be accessed.
Any user accessing Web Admin
Console of Auxiliary Appliance will be
logged in with HA Profile and have readonly rights.
Select the ports to be monitored.

Click Enable HA to complete the settings.

Note:
The appliance on which HA is configured becomes the Primary Appliance and the other appliance
becomes the Auxiliary Appliance. Once HA is established between the primary and auxiliary
appliance, all configuration of the Primary Appliance is synchronized with the Auxiliary Appliance and
no additional configuration is required.

Step 3: Verify HA
To check the status of HA, go to the Dashboard and locate the HA Details doclet.

How To Configure High Availability (HA) in Cyberoam

HA status can also be verified from the Cyberoam CLI console by following the steps mentioned
below:
1. Log on to Cyberoam CLI Console of the Primary Appliance using administrator credentials.
2. Select option 4. Cyberoam Console from the Main Menu list.
3. Execute the following command at the console prompt:
console > cyberoam ha show details

HA Behavior

DHCP, PPPoE, WWAN, WLAN High Availability (HA) cluster cannot be configured if any one of
the Interfaces is dynamically configured using DHCP and PPPoE protocols or WWAN or WLAN is
configured.

Session Failover is not possible for AV Scanned sessions or any other forwarded traffic like
ICMP, UDP, multicast and broadcast traffic, traffic passing through Proxy Subsystem transparent, direct and parent proxy traffic and VPN traffic.

Masqueraded Connections In case of the manual synchronization event from any of the HA
cluster Appliances, all the masqueraded connections will be dropped.

HA Load balancing An Active-Active HA cluster does not load-balance the VPN sessions,
UDP, ICMP, multicast and broadcast sessions and scanned FTP traffic. TCP traffic for Web
Admin Console or Telnet Console, H323 traffic sessions are also not load-balanced between the
cluster Appliances.

HA Load balancing An Active-Active HA cluster will load balance the normal Forwarded TCP
Traffic, NATed (both SNAT & Virtual Host) Forwarded TCP Traffic and TCP Traffic passing
through Proxy Subsystem: Transparent Proxy, Direct Proxy and Parent Proxy and VLAN Traffic.

HA can be disabled from either of the Appliance. If disabled from the Primary Appliance, HA will
be disabled on both the Appliance. If disabled from the Auxiliary Appliance, HA will not be
disabled on the Primary Appliance and Appliance will act as a stand-alone Appliance.

After disabling HA, the Primary Appliance IP schema will not change.

After disabling HA for Auxiliary Appliance, all the ports except the dedicated HA link port and Peer
Administration port will be disabled. The Peer HA Link IP will be assigned with IP address of the

How To Configure High Availability (HA) in Cyberoam

Dedicated HA Link Port while Peer Administration IP will be assigned with the IP Address of the
Peer Administration Port.

If HA is disabled from stand-alone machine, the IP schema will not change.

Super Administrator privileges are required to access the Auxiliary Appliance Web Admin Console
and therefore it can be accessed by admin user only. Live users/DHCP leases/IPSec live
connections pages will not be displayed.

After disabling HA in Auxiliary Appliance, all the administrative services HTTP, HTTPS, Telnet,
SSH are allowed for LAN zone while for DMZ zone, only HTTPS and SSH are allowed.

For the Auxiliary Appliance, Deployment Wizard will not be accessible.

Dedicated HA link port should be from any of the DMZ interface only. Make sure that the IP
Address of the HA link port of Primary and Auxiliary Appliances are in same subnet.

After enabling HA, if backup without HA configuration is restored then HA will be disabled and
Primary Appliance will be accessible as per the backup configuration while the Auxiliary Appliance
will be accessible with the Auxiliary Admin IP Address.

In Active-Active mode, mails will be quarantined separately on both the appliances as SMTP
Proxy traffic is load balanced in round robin manner.

In Active-Passive mode, mails will be quarantined on Primary Appliance only.

If Quarantine Digest is configured, both the appliances in the cluster will receive Quarantine
Digest.

Administrator can release quarantined mails of all the users from both the appliances.

User can release quarantined mails from My Account. My Account displays mails quarantined
only on Primary Appliance. Also, user can release them from the Quarantine Digest mailed from
the Primary Appliance.

HA is disabled on executing Deployment Wizard.

Document Version 1.0 13 September, 2014