Shadow Mode High Availability on UniFi Cloud Gateways

Shadow Mode ensures gateway high availability by seamlessly transferring gateway and management functionality to a secondary unit in the event of a primary unit failure. Leveraging Virtual Router Redundancy Protocol (VRRP) and firewall connection state tracking, this transition is virtually invisible to end users, maintaining uninterrupted productivity.

Shadow Mode is just one component of UniFi’s full-stack high availability and redundancy solution. For more information, see our High Availability Overview.

Requirements

• Two rack-mounted Cloud Gateways of the same model (UDM-Pro-Max, UDM-Pro, UDM-SE, or EFG) running UniFi OS v4.0.6 or newer, or two UXG Enterprise gateways running v4.3.1 or newer.
• Owner or Admin privileges on the account configuring Shadow Mode.

Configuring Shadow Mode

1. Ensure the primary Cloud Gateway is set up and running UniFi OS 4.0.6 or newer.
2. Ensure the Shadow Gateway is in the factory default state.
3. Connect the Shadow Gateway's WAN port to:
   1. Port 1-6 or 8 on the UDM-Pro-Max, UDM-Pro, or UDM-SE*.
   2. Port 3-6 on the EFG.*
4. Navigate to Settings > Control Plane > Console on the primary gateway and set the secondary gateway to Shadow Mode.
5. After completing the setup, the Shadow Gateway will automatically upgrade to match the UniFi OS version on the primary.
6. The Shadow Gateway will also automatically sync its configuration with the primary. This may take up to fifteen minutes to complete.
   1. To force a sync, select the Shadow Gateway and click Sync Now.
7. After the sync from Step 6 has completed, select Enable Automatic Failover to set up the high availability connection.
8. When prompted, connect:
   1. Port 7 to port 7 on the UDM-Pro-Max, UDM-Pro, or UDM-SE.
   2. Port 2 to port 2 on the EFG.
9. Verify the connection and proceed to set up a high availability cluster.
10. Disconnect the Shadow Gateway's WAN connection from the Primary Gateway established in step 3.
11. Mirror the Primary Gateway's WAN connection by connecting the same ISP to the corresponding WAN port on both units.
12. Mirror the Primary Gateway's LAN connections by connecting the shadow Gateway’s LAN ports to the same devices.

* Port 7 on the UDM-Pro-Max / UDM-Pro / UDM-SE and port 2 on the EFG are used for the dedicated high availability connection and should not be used to connect the Shadow Gateway's WAN.

Note: Use the UniFi mobile app to update the Shadow Gateway if it is not detected.

Failover Scenario

In the event of the Primary Gateway hardware failure, the Shadow Gateway will automatically take over.

1. Firewall and connection state tables are synced between the primary and shadow gateway, allowing the shadow to take over in a manner of seconds without interrupting client connectivity.
2. If used, remove the HDD from the primary and insert it into the Shadow Gateway.
3. Disconnect and remove the Primary Gateway from the rack. 
4. Navigate to the UniFi OS > Applications settings, select the Shadow Gateway and click to promote it to primary. The Shadow Gateway has now taken over the primary role.
5. Install a new gateway and repeat step 1-10 above.

Multi-Chassis Link Aggregation (MC-LAG)

MC-LAG enhances high availability for your core ECS Aggregation switches, improving reliability and eliminating single points of failure in your network. For setup instructions, click here.

Frequently Asked Questions 

What triggers a failover to the Shadow Gateway?

Failover is triggered if the Shadow Gateway detects loss of connectivity to the Primary Gateway.

Should I insert an HDD into both the Primary and Shadow Gateway?

We recommend only inserting an HDD into the Primary Gateway. This will ensure that all data is carried over to the Shadow Gateway when you swap it over as part of the failover process.

What should I do if the Shadow Gateway is not detected?

Use the UniFi mobile app to update the Shadow Gateway. Alternatively, set up the Shadow Gateway as normal, update it and then finally factory reset it. Although it is not recommended, SSH can also be used to update while in the factory-default state.

I want to use Automatic Failover and have a GPON ISP, can I use splitter to connect both the Primary and Shadow Gateway simultaneously?

No, in this setup connect the ISP fiber connection to an upstream switch and then split the connections on the switch using either Ethernet, SFP modules or DAC cables.

I want to use Automatic Failover but I only have one connection from my ISP, how can I split the ports?

If your ISP provides only a single uplink, you can use the UniFi WAN Switch to simplify the setup. This managed device is part of the UniFi ecosystem and allows you to connect the ISP once and automatically distribute the connection to both the Primary and Shadow Gateways. It also supports failover detection and is fully managed within UniFi Network.

Alternatively, you can use a standard switch. With a UniFi Switch, create a new virtual network and set its router type to Third-Party Gateway. Then, go to the Port Manager and select three ports—one for the ISP, one for the Primary Gateway, and one for the Shadow Gateway. Assign the new network as the native VLAN on all three ports, and set tagged VLAN management to Block All. If using an unmanaged switch, you can simply connect the ISP uplink and both gateways, though this offers less visibility and control.

Do I need multiple IP addresses from my ISP to use Automatic Failover?

No, only a single IP address is necessary. The Shadow Gateway mirrors the Primary Gateway exactly but keeps the WAN connection on standby awaiting a failover event.