You can change the role of the MOVEit WAF unit by setting the HA Mode. If the HA Mode is set to HA (First) Mode or HA (Second) Mode, a prompt appears reminding you to add a shared IP address. Changing the HA Mode requires a reboot. After the details are set, click Reboot. Once the MOVEit WAF unit has rebooted, the HA Parameters menu option is available in the System Configuration section provided the role is not Non HA Mode. Configuring both units in the same HA Mode, for example, HA (First Mode) and HA (First) Mode, results in severe operational problems because; not only will both units be active, both units try to use the same IP address.

When logging in to the HA pair, use the shared IP address to view and set the full functionality of the pair, apart from passwords and licensing. Logging in to the direct IP address of either one of the devices displays different menu options (see menus below). Logging into one of the MOVEit WAF units directly is usually reserved for maintenance.

When MOVEit WAF is in HA mode, the following screen appears when the HA Parameters menu option is selected:

Note: After initial configuration, the HA parameters should not be modified unless both units in the HA pair are available and operating properly (if they are both showing green icons at the top of the WUI, with one MOVEit WAF unit in active mode and the other in standby).

HA Status

At the top of the screen (next to the time) icons denote the real-time status of the MOVEit WAF units in the pair. There is an icon for each unit in the pair. This status is maintained using an automatic ping between the units.

Clicking these icons opens the management interface of the relevant HA partner.

The possible icons are:

Green (with ‘A’)

The unit is online and operational and the HA units are correctly paired.

The A in the middle of the square indicates that this is the active unit.

Green (without ‘A’)

The unit is online and operational and the HA units are correctly paired.

The absence of an ‘A’ in the middle of the square indicates that this is not the active unit (standby).

Red/Yellow

The partner unit is unreachable or turned off. It may be offline or misconfigured. The unit is not ready to take over. It may be offline or incorrectly paired.

Blue

When the unit reboots more than three times in 5 minutes it enters a pacified state. In this state, the machine is only accessible using the direct machine WUI (not the shared WUI) and it is not participating in any HA activity. Therefore, no changes from the active unit are received and it does not take over if the active unit fails. To remove the unit from the pacified state, fix the root cause of the health check failures, log in to the pacified MOVEit WAF unit through SSH or the console and reboot.

If a unit continuously reverts to a pacified state, check the network to see if CARP is being blocked.

Gray

The machine is in an indeterminate state and may require a reboot to return to operation. A gray box often means the unit has not been set up in HA mode correctly. A gray box also appears for a few seconds during the initial HA configuration.

In some cases, it may mean both machines are active, that is, both are set to active, and something has gone seriously wrong.
Question marks The HA status is updating.
Both green (left box with 'A') Both units are up, unit 1 is active (A) and unit 2 is standby.
Both green (right box with 'A') Both units are up, unit 1 is standby and unit 2 is active (A).
Left box green, right box red/yellow Unit 1 is up and currently active (A). Unit 1 cannot reach unit 2, or unit 2 is turned off.
Left box red/yellow, right box green Unit 2 is up and currently active (A). Unit 2 cannot reach unit 1, or unit 1 is turned off.
Left box gray, right box red/yellow HA setup is not complete on unit 1.
Left box red/yellow, right box gray HA setup is not complete on unit 2.
No HA icons

If the HA status squares are not appearing in the WUI, it probably means that HA is not enabled. Go to System Administration and select the HA option. Ensure the HA Mode is set to either First or Second.

In HA mode, each MOVEit WAF unit has its own IP address that is used only for diagnostic purposes directly on the unit. The HA pair has a shared IP address over which the WUI is used to configure and manage the pair as a single entity.

Note: There are a number of prerequisites that must be in place for HA to function correctly. Refer to the Prerequisites section for a list of these prerequisites.

HA Mode

If using a single MOVEit WAF unit, select NonHA Mode. When setting up HA mode, one MOVEit WAF unit must be set to HA (First) Mode and the other HA (Second) Mode. HA does not operate if both units have the same HA Mode.

HA Timeout

CARP requests are sent every second from the active unit. The value selected in the HA Timeout drop-down list is the time that the active machine must be unavailable before a switchover occurs. With this option, the time it takes a HA pair to detect a failure can be adjusted from 3 seconds to 15 seconds in 3-second increments. The default value is 9 seconds. A lower value detects failures sooner, whereas a higher value prevents HA from failing over too soon if there is a delay when receiving CARP.

To set this option, follow the steps below:

  1. Select System Configuration > HA Parameters.
  2. Select the preferred value in the HA Timeout drop-down list.

HA Initial Wait Time

The HA Initial Wait Time is the length of time after the initial boot of a MOVEit WAF unit, before the machine decides that it should become active. If the partner machine is running, this value is ignored. You can change this value to mitigate the time taken for some intelligent switches to detect that the MOVEit WAF unit has started and to bring up the link.

HA Virtual ID

When using multiple HA MOVEit WAF pairs (or other devices using CARP-like protocols) on the same network, this value uniquely identifies each HA pair so that there are no potential unwanted interactions.

We highly recommend using a higher value than 10 because any other HA pair using the same ID could interfere with HA operations.

MOVEit WAF selects a virtual ID based on the shared IP address of the first configured interface (the last eight bits). It is selected and displayed once both the shared address and the partner address are set. You can change the value to whatever you want (in the range 1 – 255) or you can keep it at the value it already selected. Ensure the virtual ID is unique on each MOVEit WAF unit on the network.

You can find the HA Virtual ID in the MOVEit WAF WUI by going to System Configuration > HA Parameters.

Use Broadcast IP address

By default, MOVEit WAF uses an IP multicast address (224.0.0.18) when sending CARP packets. Enabling this option forces the use of the IP broadcast address (255.255.255.255) instead.

Switch to Preferred Server

By default, neither partner in a HA pair has priority. When a machine restarts after a failover, the machine becomes the standby and stays in that state until it is forced to active. Specifying a preferred host means that when this machine restarts, it always tries to become active and the partner reverts to standby mode.

When set to Prefer First HA, if the MOVEit WAF unit fails over, the active reverts to HA1 when HA1 comes back online.

When set to Prefer Second HA, if the MOVEit WAF unit fails over, the active reverts to HA2 when HA2 comes back online.

When No Preferred Host is selected, if there is a failover on the MOVEit WAF unit, the unit that becomes active remains as active (failback does not happen).

To change this option, follow the steps below in the MOVEit WAF WUI:

  1. In the main menu, select Local Administration > HA Parameters.
  2. Select the relevant option from the Switch to Preferred Server drop-down list.
Note: Some connections may be dropped during the switchover if a preferred host is specified.

For normal operating conditions, we recommend selecting No Preferred Host.

HA Update Interface

The interface used to synchronize the entire HA configuration within the HA pair. Synchronization occurs every two minutes. The information is synchronized over SSH port 6973.

Hard Reboot on link Failure

When the Hard Reboot on link Failure check box is enabled, the MOVEit WAF unit configured in HA reboots if any configured interface loses connectivity with the network (that is, experiences a link failure). The reboot occurs regardless of the MOVEit WAF unit's HA status (Primary or Standby).

The Hard Reboot on link Failure check box is available in the System Configuration > HA Parameters screen when both of these are true:

  • High Availability (HA) is configured

  • The Switch to Preferred Server option is set to No Preferred Server.

    Note: The Hard Reboot on link Failure check box will be unavailable, if you select a preferred server from the Switch to Preferred Server drop-down list.

You cannot have a preferred server if Hard Reboot on link Failure is enabled - if you did, it could lead to circular swapping between the active and standby MOVEit WAF units.

Force Partner Update

Immediately forces the configuration from the active to standby unit without waiting for a normal update. This option is only available if both units can see each other in an active/standby scenario.

Inter HA L4 TCP Connection Updates

When using L4 services, enabling the Inter HA L4 TCP Connection Updates option allows L4 connection information to be shared between the HA partners. If a failover occurs, the connection information will be available on the unit that assumes the active role. This option does not apply to L7 services.

Note: If you do not allow multicast on the specific interface, inter-HA updates will not work. If you must have inter-HA updates, ensure to have a dedicated, multicast-enabled interface for this purpose.

Inter HA L7 Persistency Updates

When a failover occurs, all connections are dropped. Enabling the Inter HA L7 Persistency Updates option can help to send some traffic back to the same Real Server, but the connections are still dropped after a failover.

When using L7 services, enabling the Inter HA L7 Persistency Updates option allows L7 persistence information to be shared between the HA partners. If a failover occurs, the persistence information will be available on the unit that assumes the active role. This option does not apply to L4 services.

Note: Enabling this option can have a significant performance impact.
Note: If you do not allow multicast on the specific interface, inter-HA updates will not work. If you must have inter-HA updates, ensure to have a dedicated, multicast-enabled interface for this purpose.

HA Multicast Interface

The network interface used for multicast traffic, which is used to synchronize Layer 4 and Layer 7 traffic when Inter HA Updates are enabled.

You can select the interface to send and receive inter-HA traffic from within the WUI of the shared IP address:

  1. In the main menu, select System Configuration > HA Parameters.
  2. The HA Update Interface setting is used for sending HA configuration updates using TCP/6973 between units. Modify it if needed.

If you have enabled L7 persistency updates or L4 TCP connection updates, an additional HA Multicast Interface option also becomes available.