Technical Tip: Cluster is not forming if heartbeat interfaces have sniffer mode enabled
Description
If an existing device will be part of a cluster, make sure the heartbeat interface does not have sniffer mode enabled. Add the interface in the HA config is possible but that won’t be used to form a cluster.
Solution
If a port was used in a firewall sniffer config and later added as a heartbeat for an HA solution, that will not send HA control packets.
Example:
The config of port4. Notice the ips-sniffer-mode enable setting:
attribute set operator error, -1, discard the setting
Command fail. Return code -1.
Check the firewall sniffer config:
If an existing device will be part of a cluster, make sure the heartbeat interface does not have sniffer mode enabled. Add the interface in the HA config is possible but that won’t be used to form a cluster.
Solution
If a port was used in a firewall sniffer config and later added as a heartbeat for an HA solution, that will not send HA control packets.
Example:
#config system haBelow is the status of the cluster. The slave is not discovered:
set group-name "fortinet_cluster"
set mode a-p
set password test
set hbdev "port4" 50
set override enable
end
#get sys ha status
HA Health Status:
WARNING: FGT3HD*********1 has hbdev down;
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:1:19
Cluster state change time: 2019-11-07 06:38:25
Master selected using:
<2019/11/07 06:38:25> FGT3HD*********1 <----- is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
System Usage stats:
FGT3HD*********1(updated 4 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
HBDEV stats:
FGT3HD*********1(updated 4 seconds ago):
port4: physical/00, down, rx-bytes/packets/dropped/errors=0/0/0/0, tx=0/0/0/0
Master: FGT3HD*********1, FGT3HD*********1, cluster index = 0
number of vcluster: 1
vcluster 1: work 169.***.*.1
Master: FGT3HD*********1, operating cluster index = 0
The config of port4. Notice the ips-sniffer-mode enable setting:
#show sys int port4Trying to disable will get the following error:
config system interface
edit "port4"
set vdom "root"
set ips-sniffer-mode enable
set type physical
set snmp-index 6
next
end
#conf sys interfaceeCannot change sniff mode when the interface is used by a policy or a zone.
edit port4
set ips-sniffer-mode disable
attribute set operator error, -1, discard the setting
Command fail. Return code -1.
Check the firewall sniffer config:
#show firewall snifferDelete the entry which contains the heartbeat port:
edit 1
set logtraffic all
set ipv6 enable
set non-ip enable
set interface "port4"
set application-list-status enable
set application-list "sniffer-profile"
set ips-sensor-status enable
set ips-sensor "sniffer-profile"
set av-profile-status enable
set av-profile "sniffer-profile"
set webfilter-profile-status enable
set webfilter-profile "sniffer-profile"
next
#config firewall snifferCheck the HA status again. The cluster is formed:
delete 1
#get sys ha status
HA Health Status: OK
Model: FortiGate-300D
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:15:11
Cluster state change time: 2019-11-07 06:40:01
Master selected using:
<2019/11/07 06:40:01>FGT3HD*********0 <-----is selected as the master because it has the largest value of override priority.
<2019/11/07 06:25:02>FGT3HD*********0 <-----is selected as the master because it's the only member in the cluster.
ses_pickup: disable
override: enable
Configuration Status:
FGT3HD*********0(updated 0 seconds ago): in-sync
FGT3HD*********1(updated 7 seconds ago): in-sync
System Usage stats:
FGT3HD*********0(updated 0 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=26%
FGT3HD*********1(updated 7 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=26%
HBDEV stats:
FGT3HD*********0(updated 0 seconds ago):
port4: physical/1000full, up, rx-bytes/packets/dropped/errors=139366/1566/0/0, tx=3922815/2758/0/0
FGT3HD*********1(updated 7 seconds ago):
port4: physical/1000full, up, rx-bytes/packets/dropped/errors=75331/187/0/0, tx=11725/53/0/0
Master: FGT3HD*********0, FGT3HD*********0, cluster index = 0
Slave : FGT3HD*********1, FGT3HD*********1, cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Master: FGT3HD*********0, operating cluster index = 0
Slave : FGT3HD*********1, operating cluster index = 1