This article explains how to configure Sockets in a High Availability (HA) active/passive configuration for a site. We recommend that you read What is Socket High Availability (HA) before you implement a Socket HA deployment.
For more about using Socket HA with Alt. WAN links, see Integrating Cato with Alternative WAN Network.
-
Each Socket must have a unique IP address
-
We recommend that both Sockets are running the same major Socket OS version (for example 14.1.13986 and 14.0.12764)
For more about adding a Socket to a site, see Using the Cato Management Application to Add Sites.
To enable High Availability at a new site:
-
Connect the first Cato Socket.
-
In the Cato Management Application, verify that the Cato Socket has been detected and associate it to the required site.
-
Continue with the following procedure.
To enable High Availability at an existing site:
-
Connect the backup Cato Socket.
-
Make sure there is Ethernet connectivity between the LAN1 ports of both Cato Sockets.
-
In the Cato Management Application, verify that the backup Cato Socket has been detected and assign it to the relevant site.
-
The Cato Management Application automatically identifies that the selected site already has a Cato Socket connected to it. It then designates the second Cato Socket as the backup for High-Availability mode.
You can change the VRID and the management IP addresses for the HA sockets.
The High Availability section shows you the following information about the Sockets:
-
Serial number (S/N)
-
Socket version
-
Management IP address for the Socket WebUI
-
Option to open Socket WebUI with SSO
-
-
High Availability Status - overall HA status for the site (see below for status description)
-
Which Socket is the master (currently active)
-
The connectivity status for each Socket to the Cato Cloud
-
VRID number (see below Changing the VRID)
Item |
Description |
---|---|
Status |
The HA status for the site (Ready or Not Ready), only shows ready when each status HA status indicator is OK |
Connected |
The green icon indicates that both Sockets have WAN connectivity to the Cato Cloud |
Keepalive |
The green icon indicates that one Socket is the primary and one is the secondary (If both Sockets are status primary, then there is an HA split brain issue) |
Compatible Version |
The green icon indicates that both Sockets are running compatible (the same major) Socket versions, for example 14.1.13986 and 14.0.12764 |
The High Availability Configurations section lets you configure the management IP address that you can use to open the browser-based Socket WebUI for each Socket. In addition, with one click you can open the login page for the Socket WebUI in a new tab.
Note
Notes:
-
The management IP address must be within the native range for one of the LAN links.
-
The secondary Socket's management IP address is only accessible from the LAN native range.
-
-
If you unassign the primary or secondary Socket from the site, the Sockets are assigned new management IP addresses.
-
By default, Cato assigns the last two IP addresses in the Native Range as the management IPs for each Socket. If these management IPs are within the DHCP range, then the DHCP range is automatically updated so that the management IPs are not included in the DHCP range, and remain the last two IP addresses in the native range.
To change the management IP address:
-
From the navigation menu, select Network > Sites, and select the site.
-
From the navigation menu, select Site Configuration > Socket.
-
Expand the High Availability Configurations section, and enter the new Primary Management IP address for the Socket that is used for the Socket WebUI.
-
Repeat the previous step for the Secondary Management IP address.
-
Click Save.
To open the Socket WebUI, from the Actions drop-down menu for a Socket, select Socket WebUI. The Socket WebUI opens in a new browser tab and automatically logs in. For more information see I.
Sockets use VRRP messages (following RFC 5798) to identify when the primary Socket had a failure and when it is functional again.
VRRP messages have an ID that enables other network entities in the same network to identify VRRP messages that are applicable for them. By default, Cato Networks uses VRID 100.
By default, the LAN port with the lowest number is used both for the HA keepalive traffic and for the user traffic. The remaining LAN ports carry only the user traffic.
You can choose any LAN port for the HA keepalive traffic by changing the port Destination from LAN to LAN & VRRP. The following screenshot shows port 3 for LAN user traffic and port 4 for the HA keepalive traffic and for the user traffic.
You can only define one LAN port with the Destination as LAN & VRRP.
To change which LAN port is used for HA keepalive traffic:
-
From the navigation menu, select Network > Sites, and select the site.
-
From the navigation menu, select Site Configuration > Socket.
-
Select the LAN port that is currently being used for the HA keepalive traffic.
The Edit Socket Interface panel opens.
-
In the Destination drop-down menu, select LAN, and then click Apply.
-
Select the new LAN port for the HA keepalive traffic.
-
In the Destination drop-down menu, select LAN & VRRP, and then click Apply.
-
Click Save. The new LAN port is used for the HA keepalive traffic and user traffic.
0 comments
Please sign in to leave a comment.