4.3.3. Active-Active HA Cluster

In the Active-Active mode, one of the servers operates as the master node that distributes the traffic among all other cluster nodes. On each of the cluster nodes, network interfaces are selected to which the administrator assigns virtual IP addresses. Transmitted between these interfaces are VRRP advertisements - messages that nodes use to exchange information about their state.

Virtual IP addresses always reside on master node interfaces, therefore the master node receives and responds to client ARP requests, consecutively serving MAC addresses of all nodes of the HA cluster to ensure uniform traffic distribution to all cluster nodes with consideration of the need to provide user session continuity.


The Active-Active mode supports user session synchronization, which provides user-transparent traffic switching between nodes, except for the sessions that use a proxy (e.g., HTTP/S).

When a backup server assumes the master role, all virtual IP address of all cluster interfaces are transferred to it. An unconditional role transfer occurs under the following circumstances:

  • A backup server gets no confirmation that the master node is online - for example, if it is offline or the nodes are unavailable on the network.

  • Internet connectivity checking is configured on the node (see section Gateway Configuration), and there is no Internet access through any of the gateways.

  • A software fault has occurred in UserGate.

When one or more network interfaces on the master node that are assigned virtual IP addresses go offline, this will lower the node's priority but not necessarily cause a change in the server's role. Transition to a backup node will occur if that node has a higher priority than the master node. By default, the master node has a priority of 250, while a backup node has a priority of 249. A node's priority is decreased by 2 for each cluster interface that has no physical connectivity to the network. Therefore, for a two-node HA cluster, if one network interface on the master node loses the physical connectivity to the network, the master role will be transferred to the backup server, provided that all its cluster interfaces have network connectivity (the priority value will be 248 for the master and 249 for the backup in that case). When the physical connectivity on the original master node is restored, that node will assume the master role again because its priority value will return to 250.

When one or more cluster network interfaces go offline on a backup node, this lowers the node's priority and excludes it from traffic load balancing. That backup node will nevertheless be able to become the master in case of an unconditional role transfer or when the master node's priority drops below the priority of this backup node.


If cluster IP addresses are assigned to VLAN interfaces, the lack of connectivity on a physical interface will be interpreted by the HA cluster as a connectivity loss on all VLAN interfaces created on that physical interface.


To reduce the time it takes for the network equipment to switch the traffic to a backup node, UserGate servers send an internal GARP notification (Gratuitous ARP) to inform the network equipment of a MAC address change for all virtual IP addresses. In the Active-Active mode, a UserGate server sends a GARP packet only when a backup server assumes the master role.

An example network diagram for a HA cluster in the Active-Active mode is shown below. The network interfaces are configured as follows:

  • Trusted zone: IP1, IP2, IP3, IP4, and IP cluster (Trusted).

  • Untrusted zone: IP5, IP6, IP7, IP8, and IP cluster (Untrusted).

  • Cluster zone: IP9, IP10, IP11, IP12, IP13, and IP14. The interfaces in the Cluster zone are used for settings replication.

Both cluster IP addresses reside on the UG1 node. If the UG1 node goes offline, both cluster IP addresses will migrate to the next server, which becomes the master - e.g., UG2.


Figure 2 - A HA cluster in the Active-Active mode


For correct traffic processing, the reverse traffic from the server to the client must pass through the same UserGate node that was used for the corresponding forward traffic from the client; i.e., the user session must always pass through the same cluster node. The simplest solution is to use NAT from the client network to the server network (NAT from Trusted to Untrusted).

To create a HA cluster, follow these steps:



Step 1. Create a configuration cluster.

Create a configuration cluster as described in the previous step.

Step 2. Configure zones whose interfaces will participate in the HA cluster.

In the Zones section, you should allow the VRRP service for all zones where virtual cluster IP addresses are to be added (zones Trusted and Untrusted on the above diagrams).

Step 3. Create a new HA cluster.

In the Device management --> HA cluster section, click Add and configure the settings for the new HA cluster.

Step 4. Specify a virtual IP address for the auth.captive, logout.captive, block.captive, and ftpclient.captive hosts.

If captive-portal authorization is to be used, the system host names auth.captive and logout.captive used by the authorization procedures in the captive portal must resolve to the IP address assigned as the virtual cluster address. For more details on these settings, see the section General Settings.

The settings for a HA cluster are listed below:




Enable or disable the HA cluster.


The name of the HA cluster.


A description of the HA cluster.


The HA cluster operating mode:

  • Active-Active: the load is distributed between all cluster nodes.

  • Active-Passive: the load is processed by the master node and switched to a backup instance if the master node is offline.

Sessions sync

Enables the user session synchronization mode between all nodes in the HA cluster. When enabled, this option makes switching users between devices transparent to the users themselves but adds significant load on the UserGate platform. The option is only relevant for the Active-Passive cluster mode.

HA cluster multicast ID

Multiple HA clusters can be created in a single configuration cluster. Session synchronization uses a specific multicast address defined by this parameter. A unique ID must be assigned to each group of HA clusters that requires session synchronization support within the group.

Virtual router ID (VRID)

The VRID must be unique to each VRRP cluster in the local network. If there are no 3rd party VRRP clusters in the network, it is recommended to keep the default setting.


Select the configuration cluster nodes to combine into an HA cluster. Here you can also assign the master role to one of the selected nodes.

Virtual IPs

Assign virtual IP addresses and map them to the interfaces of the cluster nodes.