UniFi Gateway - Shadow Mode High Availability
With Shadow Mode, you can ensure High Availability (HA) of your UniFi Cloud Gateway to minimize downtime, and provide a reliable failover mechanism in the face of unexpected hardware failures. In this setup, a secondary Shadow Gateway mirrors the configuration of the Primary Gateway, and can easily take over full network and management capabilities should it ever fail. There are two ways to use Shadow Mode:
- Shadow Mode - The shadow gateway's WAN port is connected to the LAN on the primary gateway. In the event of a hardware failure, the cables need to be manually moved over to the shadow gateway.
- Shadow Mode with Automatic Failover - The cabling on the shadow gateway mirrors the primary and both are interconnected using a dedicated high availability link. Both gateways synchronize the network connection information, allowing for immediate failover. In the event of a hardware failure, the shadow gateway automatically takes over with minimal downtime.
Requirements
- UDM-Pro-Max, UDM-Pro, UDM-SE or EFG.
- The Cloud Gateways must be the same model.
- The Cloud Gateways must be managed from a UI Account with Owner or Super Admin privileges.
- When setting up, the shadow gateway must be in the factory default state.
- UniFi OS 3.2 or newer is required for Shadow Mode.
- UniFi OS 4.0.6 or newer is required for Shadow Mode with Automatic Failover.
Configuring Shadow Mode with Automatic Failover
- Ensure the primary Cloud Gateway is set up and up to date, running UniFi OS 3.2 or newer.
- Connect the shadow gateway's WAN port to port 1-6 or 8 on the UDM-Pro-Max / UDM-Pro / UDM-SE or port 3-6 on the EFG*.
- Navigate to the UniFi OS > Applications settings on the primary gateway set the secondary gateway to Shadow Mode
- After completing the setup, the shadow gateway will automatically upgrade to match the UniFi OS version on the primary.
- The shadow gateway will also automatically sync its configuration with the primary. To force a sync, select the shadow gateway and click Sync Now.
- Select Enable Automatic Failover to set up the high availability connection.
- When prompted in step 1, connect port 7 on the primary gateway to port 7 on the shadow when using a UDM-Pro-Max / UDM-Pro / UDM-SE or port 2 to port 2 when using an EFG.
- Verify the connection and proceed to set up a high availability cluster in step 2.
- In step 3, disconnect the WAN port on the shadow gateway and mirror the primary's WAN cabling. If your ISP only provides a single uplink connection, then use either a UniFi switch with a dedicated untagged / native VLAN or an unmanaged switch to split the ports.
- In step 4, mirror the primary gateway's LAN cabling on the shadow.
* Port 7 on the UDM-Pro-Max / UDM-Pro / UDM-SE and port 2 on the EFG are used for the dedicated high availability connected and should not be used to connect the shadow gateway's WAN.
Note: Use the UniFi mobile app to update the shadow gateway if it is not detected.
Failover Scenario
In the event of the primary gateway hardware failover, the shadow gateway will automatically take over.
- Firewall and connection state tables are synced between the primary and shadow gateway, allowing the shadow to take over in a manner of seconds without interrupting client connectivity.
- If used, remove the HDD from the primary and insert it into the shadow gateway.
- Disconnect and remove the primary gateway from the rack.
- Navigate to the UniFi OS > Applications settings, select the shadow gateway and click to promote it to primary. The shadow gateway has now taken over the primary role.
- Install a new gateway and repeat step 1-10 above.
Configuring Shadow Mode without Automatic Failover
- Ensure the primary Cloud Gateway is set up and up to date, running UniFi OS 3.2 or newer.
- Connect the shadow gateway's WAN port to any LAN port on the primary gateway.
- Navigate to the UniFi OS settings on the primary gateway set the secondary gateway to Shadow Mode
- After completing the setup, the shadow gateway will automatically upgrade to match the UniFi OS version on the primary.
- The shadow gateway will also automatically sync its configuration with the primary. To force a sync, select the shadow gateway and click Sync Now.
Note: Use the UniFi mobile app to update the shadow gateway if it is not detected.
Failover Scenario
In the event of the primary gateway hardware failover, the cabling needs to be adjusted on the shadow gateway.
- The touchscreen on the shadow gateway will prompt you to take over.
- Disconnect the shadow gateway's WAN port.
- Unplug the cable from the primary gateway's WAN port and move it to the shadow.
- If used, remove the HDD from the primary and insert it into the shadow gateway.
- Touch Tap To Proceed on the shadow gateway's touchscreen and Restoring from Backup… will appear.
- Move all other cables from the primary gateway to the shadow gateway, making sure to use the same ports.
Frequently Asked Questions
What triggers a failover to the Shadow Gateway?
Failover is triggered if the shadow gateway detects loss of connectivity through the primary gateway.
Should I insert an HDD into both the Primary and Shadow Gateway?
We recommend only inserting an HDD into the primary gateway. This will ensure that all data is carried over to the shadow gateway when you swap it over as part of the failover process.
What should I do if the Shadow Gateway is not detected?
Use the UniFi mobile app to update the shadow gateway. Alternatively, set up the shadow gateway as normal, update it and then finally factory reset it. Although it is not recommended, SSH can also be used to update while in the factory-default state.
I want to use Automatic Failover and have a GPON ISP, can I use splitter to connect both the Primary and Shadow Gateway simultaneously?
No, in this setup connect the ISP fiber connection to an upstream switch and then split the connections on the switch using either Ethernet, SFP modules or DAC cables.
I want to use Automatic Failover but I only have one connection from my ISP, how can I split the ports?
If your ISP only provides a single uplink connection, then use either a UniFi switch with a dedicated untagged / native VLAN or an unmanaged switch to split the ports. When using a UniFi switch, create a new virtual network and set the router to third-party gateway. Afterwards, navigate to the Port Manager and select three ports on the switch (one port connects to the ISP and one to each gateway). Finally, set the new network as the native VLAN / network and set tagged VLAN management to Block All on all three ports.
Do I need multiple IP addresses from my ISP to use Automatic Failover?
No, only a single IP address is necessary. The Shadow Gateway mirrors the Primary Gateway exactly but keeps the WAN connection on standby awaiting a failover event.