Establishing Management Center High Availability
Establishing high availability can take a significant amount of time, even several hours, depending on the bandwidth between the peers and the number of policies. It also depends on the number of devices registered to the active management center, which need to be synced to the standby management center. You can view the High Availability page to check the status of the high availability peers.
Before you begin
-
Confirm that both the management centers adhere to the high availability system requirements. For more information , see Requirements for Management Center High Availability.
-
Confirm that you completed the prerequisites for establishing high availability. For more information, see Prerequisites for Management Center High Availability.
-
In a multidomain deployment, you must be in the Global domain to perform this task.
Procedure
Step 1 | Log into the management center that you want to designate as the secondary. |
Step 2 | Choose . |
Step 3 | Choose High Availability. |
Step 4 | Under Role for this management center, choose Secondary. |
Step 5 | Enter the hostname or IP address of the primary management center in the Primary Firewall Management Center Host text box. You can leave this empty if the primary management center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection. |
Step 6 | Enter a one-time-use registration key in the Registration Key text box. The registration key is any user-defined alphanumeric value up to 37 characters in length. This registration key will be used to register both -the secondary and the primary management centers. |
Step 7 | If you did not specify the primary IP address, or if you do not plan to specify the secondary IP address on the primary management center, then in the Unique NAT ID field, enter a unique alphanumeric ID. See NAT Environments for more information. |
Step 8 | Click Register. |
Step 9 | Using an account with Admin access, log into the management center that you want to designate as the primary. |
Step 10 | Choose . |
Step 11 | Choose High Availability. |
Step 12 | Under Role for this management center, choose Primary. |
Step 13 | Enter the hostname or IP address of the secondary management center in the Secondary Firewall Management Center Host text box. You can leave this empty if the secondary management center does not have an IP address reachable from the peer management center (which can be public or private IP address). In this case, use both the Registration Key and the Unique NAT ID fields. You need to specify the IP address of at least one management center to enable HA connection. |
Step 14 | Enter the same one-time-use registration key in the Registration Key text box you used in step 6. |
Step 15 | If required, enter the same NAT ID that you used in step 7 in the Unique NAT ID text box. |
Step 16 | Click Register. |
What to do next
After establishing the management center high availability pair, devices registered to the active management center are automatically registered to the standby management center.
Note | When a registered device has a NAT IP address, automatic device registration fails and the secondary management center High Availability page lists the device as local, pending. You can then assign a different NAT IP address to the device on the standby management center High Availability page. If automatic registration otherwise fails on the standby management center, but the device appears to be registered to the active Secure Firewall Management Center, see Using CLI to Resolve Device Registration in Management Center High Availability. |