Technical Tip: FortiGate VM HA failover is not triggering as expected

Description

This article describes an issue where HA failover does not trigger as expected on FortiGate VM units that are not directly connected to the cluster.

Scope

FortiGate.

Solution

In this scenario, one of the interfaces in the HA link monitor goes down, but the HA failover still does not occur.


Monitor interfaces Port2 and Port3 are configured with 0.0.0.0/0 and do not have IP addresses assigned directly; instead, VLAN interfaces associated with them are configured with IP addresses.


For network units not directly connected to the cluster, configuring link-monitor configuration is required to trigger HA failover upon failure.

The HA priority for link-monitor is set to 1 by default.

Related document:
Technical Tip: Link-Monitor Explained 

In this scenario, the 'pingserver-monitor-interface' and 'pingserver-failover-threshold' were not defined under HA settings.


To ensure HA failover is triggered, the 'pingserver-failover-threshold' must be correctly configured under HA settings.


Note: The total link monitor HA priority must be equal to or greater than the failover threshold to trigger a failover.