A Proxmox HA cluster sounds like an obvious win. Three nodes, shared storage, a VM that “just restarts somewhere else” when a host dies. The marketing version is clean.
The operational reality is different, and this is where most operators get caught. A Proxmox HA cluster is one of the largest complexity budget additions you can make to a Proxmox stack. Done right, it survives node failure with a 1–2 minute service interruption. Done partially, it manufactures outages your single-node setup never had. The decision to deploy a Proxmox HA cluster is not a tick-box in the GUI; it’s an architectural commitment with ongoing costs that compound the moment the network does something unexpected.
This is a decision guide. It will not walk through the GUI clicks to enable HA. Proxmox documentation does that well. It covers the operational reality: when HA is worth the budget, when it’s the wrong choice, what the requirements actually mean, and which misconfigurations consistently bite operators in community reports. If you haven’t yet worked through Proxmox fundamentals, the What is Proxmox VE overview is the better starting point. HA sits on top of a working single-node understanding, not as an entry point.
Best for most homelabs:
Don’t use HA. Use cold standby + tested restore from PBS.
HA is worth it when:
- 3+ physical nodes with shared storage already in place
- Dedicated Corosync network exists (or can be built)
- Workloads where 1 to 2 minute auto-failover beats 15 to 30 minute manual restore
- You will actually test fencing behavior before relying on it
Should you use a Proxmox HA cluster? Decision matrix
| Scenario | Use HA? | Better alternative |
|---|---|---|
| Single-node homelab | No | PBS restore from backup |
| 2-node mini-PC cluster | Usually no | Cold standby + ZFS replication |
| 3-node SMB with shared storage | Yes | Standard HA cluster |
| Mixed-hardware experiment cluster | No | Manual failover or scripted recovery |
| GPU passthrough workloads | Usually no | Manual failover, hardware-pinned VMs |
| Hyperconverged Ceph cluster | Yes | HA is a native fit for Ceph |
| Always-on services (DNS, AD, home automation) | Worth considering | HA only if Corosync requirements are met |
This is the fast-scan version of the rest of this article. The detailed reasoning behind each row follows below.
TL;DR
- HA requires at least 3 nodes for reliable quorum, since 2-node clusters need a QDevice as a tie-breaker
- Corosync needs a low-latency, low-jitter network: ideally a dedicated NIC, never shared with storage or backup traffic
- Without fencing, HA is unsafe. Proxmox uses software watchdog by default, which works, but operators must understand what it does
- HA without testing is a checkbox, not high availability. Community consensus is unanimous on this
- Switch reboots, NIC saturation, and Corosync link flaps will fence healthy nodes if the network design is wrong
- HA is the wrong choice for: workloads that tolerate 15-minute restore, single-node homelabs, mixed-hardware experiments, anything where storage isn’t already shared
What a Proxmox HA cluster actually does (and doesn’t)
Proxmox HA is a system that automatically restarts VMs and containers on a surviving cluster node when their original host fails. It does this through three components working together:
- Cluster Resource Manager (CRM) makes cluster-wide decisions about where resources should run
- Local Resource Manager (LRM) executes start/stop commands on each node
- Watchdog (hardware or softdog) forcibly resets a node that can no longer prove it has quorum
Proxmox documentation describes the HA manager architecture in the official HA chapter, which is the authoritative reference.
What HA does not do:
- It does not protect against application-level failure inside a VM. If your database corrupts itself, HA will happily restart the corruption on another node.
- It does not eliminate downtime. A fenced node and its VMs are unavailable for roughly 1 to 2 minutes during recovery, sometimes longer.
- It does not protect against storage failure. If your shared storage dies, every HA-managed VM dies with it.
- It does not protect against split-brain corruption automatically. That protection comes from quorum and fencing. Skip those, and HA actively makes things worse than no HA at all.
The mental model worth keeping: HA is a node-failure response system, not a magic uptime button.
What actually causes Proxmox HA cluster outages
Before diving into individual requirements, here is what consistently breaks HA clusters in community reports. Most outages trace back to one of these root causes:
| Cause | Result |
|---|---|
| Switch reboot during maintenance | Node fencing, cluster-wide reboot |
| Shared Corosync + storage/backup NIC | Random failover under load |
| Quorum loss (no majority) | Cluster /etc/pve becomes read-only |
| High or unstable network latency | Corosync instability, sporadic fencing |
| Same-subnet Corosync rings | Redundancy fails when one switch dies |
| HA enabled without fencing testing | Failover behaves unpredictably in real failures |
Each row maps to a section below. The pattern: HA failures are almost never about HA itself — they’re about Corosync network design and operator assumptions that don’t survive contact with reality.
The complexity budget of a Proxmox HA cluster
Every Proxmox HA cluster addition spends operational budget you didn’t pay before:
- Diagnostic complexity goes up. A VM that “just rebooted” can now mean any of: VM crash, host crash, network partition, fencing event, QDevice flap, watchdog timeout, or storage glitch.
- Maintenance procedures change. Pulling a node for hardware work requires
ha-manager crm-command node-maintenance enable <node>first. Just shutting it down can trigger HA failover. - Network changes become risky. Switch firmware updates, VLAN migrations, and NIC driver changes can fence healthy nodes if Corosync paths are affected.
- Storage requirements harden. HA without shared storage that all nodes can see is not HA. It’s automatic loss of data. ZFS replication is an alternative path with different trade-offs.
HA’s setup cost is moderate. Its ongoing cost is significant. The honest question to ask before enabling HA: do my workloads actually need automatic failover, or does my current PBS restore process get the same business outcome with simpler operations? For most homelabs, the answer is “PBS restore is fine.”
Quorum: why three nodes is not optional
Quorum is the majority-vote system that lets a cluster make decisions safely. The Proxmox VE wiki states the requirement explicitly: HA needs at least three nodes for reliable quorum. This is a structural requirement of how Corosync works, not a guideline. Operators searching for “Proxmox HA requirements” land on this constraint first, because it determines whether HA is even possible in their setup.
The reasoning, simplified:
- Each node has 1 vote (by default)
- To make decisions, a partition must hold a majority of votes
- With 2 nodes, a network split produces two 1-vote partitions. Neither has majority, and both refuse to make decisions to avoid split-brain
- With 3 nodes, a network split produces a 2-vote and 1-vote partition. The 2-vote side has majority, so it can safely take over
Without majority, the cluster file system /etc/pve flips into read-only protective mode. This is correct behavior. Letting both partitions write configuration independently is how you get permanent config corruption. But many operators read “Proxmox is down” when only writes are blocked, and try to “fix” it by forcing operations that compound the damage.
The canonical command to inspect cluster health is pvecm status. A healthy 3-node cluster returns output similar to:
$ pvecm status
Cluster information
-------------------
Name: racknotes-cluster
Config Version: 3
Transport: knet
Secure auth: on
Quorum information
------------------
Date: Thu May 28 14:22:11 2026
Quorum provider: corosync_votequorum
Nodes: 3
Node ID: 0x00000001
Ring ID: 1.42
Quorate: Yes
Votequorum information
----------------------
Expected votes: 3
Highest expected: 3
Total votes: 3
Quorum: 2
Flags: QuorateThe line that matters most operationally is Quorate: Yes. If that flips to No, the cluster cannot make HA decisions and /etc/pve becomes read-only until quorum returns.
Practical quorum sizes:
| Cluster size | Quorum needed | Survives loss of |
|---|---|---|
| 2 nodes | 2 (no majority possible) | 0 nodes — needs QDevice |
| 3 nodes | 2 | 1 node |
| 4 nodes | 3 | 1 node (even sizes provide no advantage) |
| 5 nodes | 3 | 2 nodes |
| 7 nodes | 4 | 3 nodes |
Odd numbers always beat the next even number. Use odd-numbered clusters whenever possible.
The 2-node case: QDevice as a workaround
Some homelabs and small offices only have two physical nodes and can’t justify a third. Proxmox supports a QDevice — an external Debian/Ubuntu host running corosync-qdevice — to act as a tie-breaker vote.
Common QDevice patterns from community reports:
- A Raspberry Pi 4 running Debian (low power, separate hardware)
- An always-on NAS that supports Debian containers
- A small VPS specifically dedicated to quorum voting
The QDevice does not run VMs and does not need cluster-grade hardware. It needs to be independently powered, independently networked, and reachable from both real cluster nodes. A QDevice on the same UPS and switch as one of the cluster nodes provides only theatrical redundancy.
For homelabs that genuinely want HA, three real nodes is usually the cleaner path than 2-node + QDevice.
Corosync: the network requirement that catches operators
Corosync is the cluster communication layer. Every HA decision flows through it. Its requirements are not aggressive on bandwidth (1 Gbps is plenty), but they are uncompromising on latency and jitter.
The Proxmox VE Cluster Manager documentation specifies UDP ports 5405-5412 for Corosync, time synchronization across all nodes, and a dedicated Corosync network as the recommended baseline.
What Corosync actually needs
- Low latency between nodes, with community guidance suggesting under ~5ms, and stable latency mattering more than absolute number
- Low jitter, since Corosync treats latency spikes as link failure
- Dedicated path, since sharing with storage, backup, or migration traffic eventually causes problems
- Redundancy via multiple links, not via bonding
That last point catches a lot of operators. The intuitive design (“bond two NICs for redundancy”) is wrong for Corosync. Bonding hides link failure from Corosync and adds latency variability. The correct pattern is two independent network interfaces configured as separate Corosync rings (Link 0 and Link 1), letting Corosync handle failover at the protocol level.
Switch maintenance causes cluster reboot
A Proxmox forum thread from April 2021 documented a specific failure pattern. An operator running a Proxmox + Ceph HCI cluster scheduled switch maintenance. They had two Corosync links on separate physical switches, expecting that shutting down one switch at a time would keep the cluster quorate. The first switch shutdown went cleanly. After bringing it back up and shutting down the second switch, all cluster nodes rebooted.
The root cause identified in the thread: both Corosync links were configured in the same subnet, meaning only one NIC was actually used in the routing table. When that NIC’s switch went down, Corosync had no genuine fallback. The Proxmox developer response recommended placing each Corosync link in its own dedicated subnet so each NIC becomes the route for its own network, making the redundancy real instead of theoretical.
The wider lesson: HA-enabled nodes that lose connection to the quorum partition for more than 2 minutes will fence themselves. This is documented Proxmox behavior, and it surprises operators who haven’t tested switch-failure scenarios before relying on HA in production.
Realistic Corosync network designs
| Tier | Pattern | Trade-off |
|---|---|---|
| Single NIC (not recommended for HA) | Everything shares one interface | Works until network gets busy — then HA causes outages it was meant to prevent |
| Dedicated Corosync NIC | One NIC for cluster traffic only | Solves 90% of the problem; standard small-business pattern |
| Dual independent Corosync NICs | Two NICs, two switches, separate subnets | Production-grade redundancy; Corosync handles failover natively |
| Bonded NICs for Corosync | LACP bond for the cluster network | Not recommended — bonding hides failures Corosync needs to see |
For a homelab seriously planning HA: budget at minimum for a dedicated 1 GbE NIC per node for the corosync dedicated network.
Fencing: the safety mechanism most operators misunderstand
Fencing is what makes HA safe. It is the mechanism that guarantees a failed node is actually offline before its workloads start somewhere else. Without proper Proxmox fencing, two nodes can simultaneously believe they own the same VM disk, and the resulting writes corrupt data permanently. This is what operators call split brain, and it’s the failure mode HA is specifically designed to prevent.
Community consensus on this is consistent across years of forum threads: no fencing, no HA. A Proxmox developer summarized it directly in an August 2020 forum response: clustering without fencing is fine if you don’t enable HA features, but enabling HA without fencing means “you get to keep the pieces as well when (not if) something breaks.”
How Proxmox actually fences
By default, Proxmox uses a software watchdog (softdog) that runs in the Linux kernel on every node. The mechanism is simple and reliable:
- The
watchdog-muxservice must keep “petting” the watchdog at regular intervals - The watchdog will only be petted if the node still has quorum (or can prove its HA stack is healthy)
- If the node loses quorum and cannot prove healthy operation for roughly 2 minutes, the watchdog times out
- The kernel hard-resets the node. Not a graceful shutdown, an immediate reset
This is a “suicide” mechanism rather than an external “STONITH” mechanism. The node fences itself, rather than another node shooting it.
A reinforcing pattern from an October 2022 forum thread: a 9-host Proxmox cluster with 4 separate Corosync rings still experienced cluster-wide reboots after a single ring failure. The Proxmox team’s explanation pointed to the underlying principle: a non-quorate partition cannot reliably determine whether a quorate partition exists elsewhere, so the conservative default is always to fence. Redundant rings reduce fencing probability but cannot eliminate it. That’s a design feature, not a bug.
Hardware watchdog vs softdog
For most homelab and small-business deployments, softdog (the default) is sufficient. Hardware watchdog through IPMI or motherboard support is more resilient against kernel-level hangs and matters more for high-stakes production environments with specific compliance requirements.
The misconception that bites operators
Many operators believe: “If I disable HA on this node, the watchdog won’t reset it.”
This is not how it works. A November 2023 Proxmox forum thread clarified the actual behavior: the watchdog-mux service runs and the watchdog is armed whenever the HA stack has been active on a node, even after HA resources are removed, until the node is rebooted or watchdog-mux is gracefully stopped. The thread author noted that this isn’t explicitly stated in the official documentation, which contributes to the confusion.
Practical consequence: a node that ever ran HA workloads can fence itself during a network event, even if no HA-managed VMs currently live on it. This surprises operators who assumed removing HA resources removed the fencing risk.
HA groups and resource priorities
Once HA is running, the HA manager treats every node as eligible by default. In real deployments, this is rarely what you want. HA groups let you control where resources can run and which nodes are preferred.
The patterns operators actually use:
- Pinning workloads to subsets of nodes: for example, GPU-passthrough VMs that can only run on nodes with the right hardware
- Restricted groups: VMs may only fail over to listed nodes, never to others
- Priorities: preferred node ordering for where a resource should land first
nofailback: once a resource has failed over, don’t migrate it back automatically when the original node returns. The operator decides when to rebalance
For a homelab, default groups are usually fine. For mixed-hardware clusters, explicit groups prevent the HA manager from making placement decisions that work technically but fail operationally.
When a Proxmox HA cluster is the wrong choice
A Proxmox HA cluster is not the right answer for many setups that get sold on it:
- Single-node homelabs. HA requires 3 nodes minimum. Adding nodes just to enable HA spends complexity budget for theatrical reliability.
- Workloads that tolerate 15 to 30 minute restore. PBS restore is simpler and reaches the same business outcome.
- Mixed hardware experiments. Clusters where nodes have different CPU generations, storage backends, or network capability are HA-hostile.
- Storage that isn’t actually shared. A single NAS without redundancy means the NAS becomes the single point of failure HA was supposed to eliminate.
- Environments without dedicated Corosync paths. HA on a saturated single-NIC network reliably fences itself during normal operations.
- Operators who won’t test failure. Untested HA fails when you need it, predictably.
The honest rule of thumb: HA earns its complexity budget when your mean time to manual recovery is meaningfully higher than 2 minutes AND your hardware/network design actually supports the requirements. Otherwise, cold standby plus tested PBS restore produces better real-world availability.
Common Proxmox HA cluster misconfigurations
These are the patterns that consistently break clusters in community reports.
- Check Corosync network is dedicated, not shared with VM/storage/backup traffic
- Verify network switch isn’t introducing spanning-tree delays during link events
- Confirm time synchronization across all nodes (
chronyc sourcesortimedatectl) - Review
/var/log/daemon.logfor Corosync retransmit warnings (orjournalctl -u corosync -n 200for recent entries) - Test latency between nodes under load (
ping -c 100 -i 0.1 <node>)
- Verify Corosync has a second ring on an independent path (Link 1) in a separate subnet
- Check whether HA-managed VMs ever ran on the rebooting nodes — watchdog-mux remains armed
- Plan switch reboots during scheduled HA maintenance windows using
ha-manager crm-command node-maintenance enable <node>per node first - Confirm switch upgrade procedure doesn’t cause prolonged link drop
- Confirm QDevice is configured and reachable from both nodes
- Verify QDevice is on independent power and independent network path
- Check
pvecm statusshows expected vote count (Total votesshould equalExpected votes) - Review QDevice logs on the external host — it’s a service that can fail silently
A Proxmox HA cluster is not a backup strategy
This deserves its own callout because it’s one of the most consistently misunderstood points in Proxmox operations.
HA protects uptime
- Node failure recovery
- Auto-restart on surviving host
- 1–2 min downtime
- Hardware death tolerance
Backups protect data
- Accidental deletion
- Ransomware encryption
- File corruption
- Configuration mistakes
A clean HA failover preserves running state across node failure. It does nothing for:
- Accidental VM deletion
- File system corruption inside a guest
- Ransomware encryption of running VM disks
- Mistaken
rm -rfon shared storage - Storage controller failure that propagates to all nodes simultaneously
Any production-grade setup needs both: HA for fast recovery from node failure, and PBS for everything else. Treating HA as “good enough so we don’t need backups” is one of the fastest paths to a permanent data loss event. The two systems solve genuinely different problems.
Coverage scope
This article reflects Proxmox VE 8.x behavior, kernel 6.8 / 6.11 cluster patterns, and community discussions through Q2 2026. Specific operational claims (watchdog behavior, fencing timing, quorum semantics) are based on Proxmox VE official documentation and forum discussions cited above. Performance numbers and specific recovery times depend heavily on hardware, network, and storage design and are presented as community-reported ranges rather than guaranteed values.
Failure recovery scenarios (split-brain recovery, ZFS pool death, detailed node-rebuild walkthroughs) are out of scope for this article.
FAQ
Do I need HA in a homelab?
Almost certainly not. PBS with tested restore covers the vast majority of homelab recovery scenarios with far less operational complexity. HA in a homelab makes sense as a learning exercise or when you have specific workloads (always-on services like home automation or DNS) where 1-minute downtime is genuinely better than 15-minute downtime. For most homelab purposes, cold standby is the right answer.
Can I run HA with 2 nodes?
Only with a QDevice as an external tie-breaker. The QDevice can be a Raspberry Pi, NAS, or VPS running Debian and corosync-qdevice. It must be on independent power and network from the cluster nodes. A 2-node + QDevice setup works, but a 3-node setup is usually simpler to reason about.
Does Proxmox HA require shared storage?
For traditional HA with live state preservation, yes. All cluster nodes must see the same underlying storage (NFS, iSCSI, Ceph, or similar). The alternative is HA with ZFS replication, where each node has its own storage and replication keeps a recent snapshot on another node. ZFS replication is simpler to deploy but means failover restarts the VM from the last replication point (typically minutes old), not from the exact moment of failure. Pick based on what your workloads tolerate.
What happens if Corosync fails?
Corosync failure produces different outcomes depending on whether HA is enabled. Without HA: VMs keep running, but /etc/pve becomes read-only and cluster operations (migration, configuration changes) are blocked until communication is restored. With HA: nodes that lose quorum visibility for ~2 minutes self-fence via watchdog, forcing a hard reboot. Their HA-managed VMs restart on surviving quorate nodes. This is why dedicated Corosync networking and tested failure scenarios matter more for HA setups than for plain clusters.
Do I need a separate physical network interface for Corosync?
For HA, yes. This is the recommended baseline in Proxmox documentation and consistent community guidance. Corosync is sensitive to latency and jitter, and sharing it with VM, storage, or backup traffic eventually causes problems. A dedicated 1 Gbps NIC is sufficient. Bandwidth isn’t the bottleneck, predictable low latency is. For clusters without HA enabled, sharing is technically possible but creates the same latency exposure if HA is ever turned on later.
Can Proxmox HA work over Wi-Fi?
No. Wi-Fi cannot deliver the latency stability and jitter characteristics Corosync requires. Even brief interference, channel switching, or AP roaming events can spike latency beyond Corosync timeouts, triggering false fencing events. HA needs wired Ethernet, ideally on a dedicated physical network. Wi-Fi may work for a non-HA cluster’s management interface, but it’s not viable for the Corosync ring.
How much downtime does Proxmox HA have?
Typical Proxmox HA cluster recovery from node failure is roughly 1 to 2 minutes from the moment of failure to VMs running on a surviving node. The breakdown: ~60 seconds for the failed node’s watchdog to time out and trigger fencing, then another 30 to 60 seconds for the CRM to detect the loss, select a target node, and have the LRM start the VMs. Actual numbers vary with cluster size, storage backend, and VM count. Heavier VMs and slower storage extend the second phase. HA never delivers zero downtime; it delivers fast bounded downtime.
What hardware works as a QDevice?
Any Debian or Ubuntu host capable of running the corosync-qdevice package. Common choices include Raspberry Pi 4 (low power, separate hardware), an always-on NAS that supports Debian containers (Synology with Container Manager, TrueNAS jails), or a small VPS dedicated to quorum voting. The QDevice does not run VMs and has minimal resource requirements. 1 vCPU and 1-2 GB RAM is plenty. The non-negotiable requirements are independent power and independent network path from the cluster nodes.
Why does my Proxmox cluster reboot when switches go down?
HA-enabled nodes fence themselves when Corosync can’t establish quorum within roughly 2 minutes. If switch maintenance or reboot disrupts Corosync, surviving nodes can trigger watchdog reset. Solution: dedicated Corosync network with a redundant ring on independent hardware in a separate subnet, plus scheduled HA maintenance mode (ha-manager crm-command node-maintenance enable <node>) before any planned network work.
Is software watchdog (softdog) sufficient, or do I need hardware watchdog?
For homelabs and most SMB deployments, softdog is sufficient. Hardware watchdog matters more for high-stakes production environments where kernel-level hangs could in theory prevent softdog from triggering. Both work; softdog is the practical default.
Should I bond NICs for the Corosync network?
No. Bonding hides link failures that Corosync needs to detect, and adds latency variability. Use two independent NICs configured as separate Corosync rings (Link 0, Link 1) in separate subnets instead. Corosync handles failover natively at the protocol level, better than bonding.
My cluster has 4 nodes. Should I add or remove one?
Generally, prefer odd-numbered clusters. A 4-node cluster tolerates the same single-node loss as a 3-node cluster but adds management overhead. Going to 5 nodes increases failure tolerance; going back to 3 simplifies operations. Adding a QDevice to a 4-node cluster to make it effectively 5-vote is an option, though less common.
Final thoughts
Proxmox HA is a legitimate, well-engineered system that solves a real problem: automatic recovery from node failure with minimal downtime. It is also one of the largest complexity budget additions you can make to a Proxmox stack.
For the operator deciding whether HA is right for them, the questions worth answering honestly:
- Is my mean time to manual recovery meaningfully higher than 2 minutes?
- Do I have (or can I build) a dedicated Corosync network?
- Will I actually test fencing behavior, including the failure modes that surprise people?
- Is shared storage a real architectural piece of my setup, or am I trying to retrofit HA onto a storage design that doesn’t support it?
If those answers are yes, HA earns its complexity. If they’re no, simpler patterns (cold standby, scheduled PBS restore drills, single-node operation with good backups) produce better real-world availability than partial Proxmox HA cluster implementations.
The most reliable Proxmox setups are the ones operators understand fully. HA is worth understanding before deploying it. Sometimes the right outcome of that understanding is “not yet.”