Break a High Availability Pair

When you break a high-availability pair, the high-availability configuration is removed from both units.

When using the Management interface for manager access: The active unit remains up and passing traffic. The standby unit interface configuration is erased.

When using a data interface for manager access: See the following details.

  • The active unit remains up and passing traffic.

  • The standby unit data interfaces are shut down except for the manager access interface, which remains up using the standby IP address so it can maintain the management connection.

  • In a remote branch deployment setup, all standby unit data interfaces that are assigned with a logical name are shut down except for the manager access interface, which remains up to maintain the management connection.

  • If the primary unit is in the standby state:

    • The IP addresses for manager access are swapped permanently in the management center configuration: the primary unit uses the standby IP address, and the secondary unit uses the active IP address.

Policies that were not deployed to the active unit prior to the break operation continue to remain un-deployed after the break operation is complete. Deploy the policies on the standalone device after the break operation is complete.

Note

  • When IPsec is enabled on high availability interfaces on the threat defense device, the device cannot prioritize the encrypted packets into the high-priority receive queue. As a result, during high-volume data traffic scenarios, attempts to break high availability may fail as the device cannot efficiently manage and prioritize the large number of encrypted connections. To view the device's resource usage and the maximum throughput, use the show resource usage command.

  • If you cannot reach the high-availability pair using the management center, connect to the CLI on each device and enter configure high-availability disable to manually break high availability. See also Remove a High Availability Pair.

Caution

Breaking the threat defense high-availability pair immediately restarts the Snort process on the primary and secondary units, temporarily interrupting traffic inspection on both devices. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.

Before you begin

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the high-availability pair you want to break, click the more actions icon (contextual_menu_icon) and choose Break.

Step 3

If the standby peer does not respond, check Force Break.

Step 4

Click Yes.

The Break operation removes the high-availability configuration from the active and standby units.

A FlexConfig policy deployed on the active unit may show a deployment failure after the break high-availability operation. You must alter and re-deploy the FlexConfig policy on the active unit.

What to do next

If you are using a FlexConfig policy on the active unit, alter and re-deploy the FlexConfig policy to eliminate deployment errors.

Note

After you break high availability, the threat defense device that was operating as the active unit will still have the standby unit's IP address listed in its configuration. To resolve this, do an additional deployment on the formerly active threat defense device to remove the standby unit's IP address from its configuration.