Anyone have any experience deploying SW-HA with Ubiquiti switching
I've recently stepping into trying to get High Availability going. We currently have Ubiquiti unifi switches and APs. I've never really been a fan of the switches, but 10gbit on unifi is cheap, so here we are.
My setup:
NSa2700 + HA unit, both x1 and x2 (different ISPs) from both units plugged into a Cisco CBS350 8MGP-2x switch for my WAN switch, with each ISP having their own vLAN on that switch plus a dedicated managment vLAN for us to access it from inside the network.
I've been using the x16 SFP+ port for my "LAN" port since first setting up the first 2700, over a year ago. There are a couple dozen vLAN sub-interfaces on this port. Both x16 SFP+ ports from each respective 2700 plug into a Unifi USW-Pro-48 switch's SFP+ ports (well, two of them) and last but not least, the HA Control link and HA data link are both set to x18 on both units, with a SFP+ DAC cable connecting them.
My issue is that I have random packet loss between networks, between this site (HQ) and other sites accessing services inside HQ through VPNs, and the Unifi controller thinking the SonicWall is physically connected to any random port somewhere on the many switches.....but only for certain vLANs. I have also setup primary/secondary monitoring IPs in the HA settings, and sometimes the x.x.x.1 gateway plus the two x.x.x.253 and x.x.x.254 will all appear, but sometimes one of those monitoring IPs will disappear from Unifi's ARP table (if that's what you want to call it) completely.
Havoc ensues. Its like the HA setup creates a slow-growing broadcast storm that is not detected or reported anywhere.
Anyone else using Unifi switching and successfully have SonicWall HA working with it? We were planning on rolling out HA to all other locations once HQ was complete, but this is such a shidshow that I have my doubts.
I do have another, different model CBS350 switch coming so I can make that where the primary and secondary HA devices connect to on the inside, but am still troubleshooting this existing issue while I wait for that delivery.
Thanks for taking the time to read this, hopefully someone else has had and resolved a similar issue.
Answers
I have also setup primary/secondary monitoring IPs in the HA settings, and sometimes the x.x.x.1 gateway plus the two x.x.x.253 and x.x.x.254 will all appear, but sometimes one of those monitoring IPs will disappear from Unifi's ARP table
This isn't necessarily a problem. You'll only have ARP entries on the switch if the switch is talking to the monitoring IPs, right?
Are the firewalls failing over unexpectedly?
Are you using X0 at all? Check out tip #4 [I don't know why this is a "tip" when they use the word "must"!]:
https://www.sonicwall.com/support/knowledge-base/tips-for-high-availability-ha-setup/170504379328065/
Sonicwall HA does not demand much of the switching, there's very little you need to do in order for this to work - simply make sure you have all the VLANs you need on the relevant ports, that's about it.
Having two WANs, two Sonicwalls but then using a single WAN switch seems like an obvious single point of failure.
As to whether doing active/standby HA is worth it....the hardware is so reliable that you're more likely to see issues with the HA mechanism itself than an actual failure of the hardware.
I dont recommend Ubiquiti's older 'Unifi' line of switches, we chose to use the EdgeSwitch line and have had little to no issues. Unfortunately the 'Edge' series has been soft-retired and now there are only 'Unifi', of which the Pro and Enterprise lines would be my first choices (they do not require the Unifi Controller software).
The Unifi controller software and lower end Unifi switches IMHO are not designed for enterprise environments, they are 'pro-sumer'.
That said I have multiple HA setups with EdgeSwitches with no issues. BUT I only ever use X0 and other copper 1G ports in HA setups. I also do not like doing HA to a single switch; really HA should go to a stackable pair of switches for proper redundancy (but not everyone will pay for that).
As Arkwright said, ARP entries for the monitoring IPs are no concern. If your gateway ARP changes or disappears then thats a problem.
If you disconnect your standby unit are your symptoms non-existent? It sounds to me like you might have a network loop.
@Arkwright
I am not using x0. I read that when I first set it up, but other resources said that using x0 wasn't a necessity since you can choose your HA data+managment interfaces.
Yes, the single WAN switch is a single point of failure for now, but the reason I went with the model I did is because they do stack. The second one is en route. I just wanted to get the HA setup going. The Unifi switches do not stack at all, which is why I have more Cisco switches en-route for that side as well.
@TKWITS
I have a mix of the older and newer switches. The newer switches do indeed require the controller if you want to do anything meaningful with them. (like see port errors) I am replacing the "core" switch with a pair of stacked Cisco switches this coming weekend.
My issue is that my monitoring tools will show the three IPs (.1/.253/.254) online, and then all of a sudden one of the two .25x IPs is "offline" and not in any ARP tables, and it could be either of those and its seemingly random. I agree it sounds like a loop, but I have verified that I do not have one, and have basically boiled it down to either the two 2700s plugged into one switch, or the LAGs setup between all of the switches.
I suppose it's time to start replacing the unifi stuff with proper gear. Unfortunately one Cisco switch with enough SFP+ ports to replace my core switch (Unifi Aggregation Pro) costs more than all 9 unifi switches combined, so it's going to take me a while.
Have you considered Arubas switches? Not the 'Instant-On' line, as those are foo. Dell PowerSwitches?
Cisco's equipment is solid by all means, but for small to medium businesses they are overkill. You can get the same networking features for less. The main thing missing will be the robust diagnostic features. How many times have I had to use those in ~20 years? A handful. Useful, yes, but worth the cost for most businesses? Not likely.
The problem with all switch manufacturers these days is availability. Hard to find stock anywhere.
The Cisco CBS (Cisco Business Series), which was initially named Catalyst 1000 series, is what I've been moving to. Definitely not ubiquiti cheap, but reasonably affordable (big picture-wise), and their official storefront is via Amazon. So far I haven't had any issues getting anything. (Fingers crossed).