UniFi Gateway - Shadow Mode High Availability
Shadow Mode ensures gateway high availability by seamlessly transferring gateway and management functionality to a secondary unit in the event of a primary unit failure. Leveraging Virtual Router Redundancy Protocol (VRRP) and firewall connection state tracking, this transition is virtually invisible to end users, maintaining uninterrupted productivity.
Requirements
- Two Cloud Gateways of the same model (UDM-Pro-Max, UDM-Pro, UDM-SE, or EFG) running UniFi OS 4.0.6 or newer.
- A UI Account with Owner or Super Admin privileges.
Configuring Shadow Mode
- Ensure the primary Cloud Gateway is set up and running UniFi OS 4.0.6 or newer.
- Ensure the Shadow Gateway is in the factory default state.
- Connect the Shadow Gateway's WAN port to:
- Port 1-6 or 8 on the UDM-Pro-Max, UDM-Pro, or UDM-SE*.
- Port 3-6 on the EFG.*
- Navigate to Settings > Control Plane > Console on the primary gateway and set the secondary gateway to Shadow Mode.
- After completing the setup, the Shadow Gateway will automatically upgrade to match the UniFi OS version on the primary.
- The Shadow Gateway will also automatically sync its configuration with the primary. This may take up to fifteen minutes to complete.
- To force a sync, select the Shadow Gateway and click Sync Now.
- After the sync from Step 6 has completed, select Enable Automatic Failover to set up the high availability connection.
- When prompted, connect:
- Port 7 to port 7 on the UDM-Pro-Max, UDM-Pro, or UDM-SE.
- Port 2 to port 2 on the EFG.
- Verify the connection and proceed to set up a high availability cluster.
- Disconnect the Shadow Gateway's WAN connection from the Primary Gateway established in step 3.
- Replicate the Primary Gateway's WAN connection by connecting the same ISP to the corresponding WAN port on both units.
- Replicate the Primary Gateway's LAN connections by connecting the shadow Gateway’s LAN ports to the same devices.
* Port 7 on the UDM-Pro-Max / UDM-Pro / UDM-SE and port 2 on the EFG are used for the dedicated high availability connected and should not be used to connect the Shadow Gateway's WAN.
Note: Use the UniFi mobile app to update the Shadow Gateway if it is not detected.
Failover Scenario
In the event of the Primary Gateway hardware failover, the Shadow Gateway will automatically take over.
- Firewall and connection state tables are synced between the primary and shadow gateway, allowing the shadow to take over in a manner of seconds without interrupting client connectivity.
- If used, remove the HDD from the primary and insert it into the Shadow Gateway.
- Disconnect and remove the Primary Gateway from the rack.
- Navigate to the UniFi OS > Applications settings, select the Shadow Gateway and click to promote it to primary. The Shadow Gateway has now taken over the primary role.
- Install a new gateway and repeat step 1-10 above.
Frequently Asked Questions
What triggers a failover to the Shadow Gateway?
Failover is triggered if the Shadow Gateway detects loss of connectivity through the Primary Gateway.
Should I insert an HDD into both the Primary and Shadow Gateway?
We recommend only inserting an HDD into the Primary Gateway. This will ensure that all data is carried over to the Shadow Gateway when you swap it over as part of the failover process.
What should I do if the Shadow Gateway is not detected?
Use the UniFi mobile app to update the Shadow Gateway. Alternatively, set up the Shadow Gateway as normal, update it and then finally factory reset it. Although it is not recommended, SSH can also be used to update while in the factory-default state.
I want to use Automatic Failover and have a GPON ISP, can I use splitter to connect both the Primary and Shadow Gateway simultaneously?
No, in this setup connect the ISP fiber connection to an upstream switch and then split the connections on the switch using either Ethernet, SFP modules or DAC cables.
I want to use Automatic Failover but I only have one connection from my ISP, how can I split the ports?
If your ISP only provides a single uplink connection, then use either a UniFi switch with a dedicated untagged / native VLAN or an unmanaged switch to split the ports. When using a UniFi switch, create a new virtual network and set the router to third-party gateway. Afterwards, navigate to the Port Manager and select three ports on the switch (one port connects to the ISP and one to each gateway). Finally, set the new network as the native VLAN / network and set tagged VLAN management to Block All on all three ports.
Do I need multiple IP addresses from my ISP to use Automatic Failover?
No, only a single IP address is necessary. The Shadow Gateway mirrors the Primary Gateway exactly but keeps the WAN connection on standby awaiting a failover event.