# (Optional) Deploy the secondary NSX Autonomous Edge in HA mode (on-premises site)
## O**verview**
Optionally, use the following steps to deploy a secondary NSX-T Autonomous Edge (Layer 2 VPN client) in HA mode in your on-premises environment:
| **#** | **OVF Template Name** | **Port Group** | **Primary Node** | **Second Node (optional)** | **Remark** |
| ----- | --------------------- | ---------------- | ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------- | ------------------------------- |
| 1 | Network 0 | Management | 192.168.137.79 | 192.168.137.80 | |
| 2 | Network 1 | Uplink | 192.168.138.77 | – | must to have access to internet |
| 3 | Network 2 | Trunk | – | – | |
| 4 | Network 3 | – (HA, optional) | 192.168.137.81 | 192.168.137.82 | |
## **Procedure**
{% stepper %}
{% step %}
**Step 1:** Follow the steps in [Deploy NSX Autonomous Edge (on-premises site)](https://higio-support.atlassian.net/wiki/spaces/v2/pages/69992630) until you reach the **Customize template** step.
{% endstep %}
{% step %}
**Step 2:** On the **Customize template** step, do the following instead:
* In the **Application** section, do the following:
* Set the **System Root User Password**.
* Set the **CLI "admin" User Password**.
* Select the **Is Autonomous Edge** checkbox.
* Leave the remaining fields empty.
{% hint style="warning" %}
NSX Edge core services do not start unless you enter passwords meeting these requirements:
At least 12 characters
At least one uppercase letter
At least one lowercase letter
At least one digit
At least one special character
At least five different characters
{% endhint %}
* In the **Network Properties** section, do the following:
* Set the **Hostname**.
* Set the **Management Network IPv4 Address**. This is the management IP for the autonomous edge.
* Set the **Management Network Netmask**. This is the management network prefix length.
* Set the **Default IPv4 Gateway**. This is the default gateway of the management network.
* In the **DNS** section, do the following:
* In the **DNS Server list** field, enter the DNS server IP addresses separated by spaces.
* In the **Domain Search List** field, enter the domain name.
* In the **Services Configuration** section, do the following:
* Enter the **NTP Server List**.
* Enter the **NTP Servers**, separated by spaces.
* Select the **Enable SSH** checkbox.
* Select the **Allow Root SSH logins** checkbox.
* Leave **External** section empty.
* In the **HA** section, do the following:
-Enter the **HA Port** details in the following format: VLAN\_ID, Exit Interface, IP, Prefix Length.
*For example:* *137,eth2,192.168.137.81,24*. Replace the following values:
VLAN ID: VLAN ID of the uplink VLAN
Exit Interface: interface ID reserved for uplink traffic
IP: IP address reserved for the uplink interface
Prefix Length: prefix length for the uplink network
-In the **HA Port Default Gateway** field, enter the default gateway of the management network
-Select the **Secondary API Node** checkbox.
-In the **Primary Node Management IP** field, enter the management IP address of the primary autonomous edge.
-In the **Primary Node Username** field, enter the username of the primary autonomous edge (for example, "admin").
-In the **Primary Node Password** field, enter the password of the primary autonomous edge.
-In the **Primary Node Management Thumbprint** field, enter the API thumbprint of the primary autonomous edge.
> You can get this by connecting using SSH to the primary autonomous edge using admin credentials and running the command: “**get certificate api thumbprint**”
{% endstep %}
{% step %}
**Step 3:** Complete the remaining OVF template deployment steps to deploy the secondary autonomous edge (on-premises Layer 2 VPN client).
PowerOn the second NSX autonomous edge
{% endstep %}
{% step %}
**Step 4:** Validate:
It will take some minutes to sync.
Log in to both NSX autonomous nodes, check High Availability, L2VPN\\
-Primary node:
-Secondary node:
-Port ID, Tunnel ID, exit interfaces are same on both nodes.
{% endstep %}
{% step %}
**Step 5:** Failover test:
To test the NSX autonomous failover:
-Ping from on-premises to HI GIO cloud.
-Shutdown NSX autonomous primary node
-Result:
NSX autonomous secondary status will change to ACTIVE, L2 VPN = UP
The connection drop \~ 5-10 seconds
After powering on the NSX autonomous primary node, the HA status between the nodes was re-established. The secondary edge remains active, and the primary will become active only in case of additional failure.
{% endstep %}
{% endstepper %}
