Technical Tip: Oracle Cloud  SDN‑Connector (ocid daemon) source‑IP behaviour in FortiGate‑VM HA (A‑P)

Description

This article describes how to proceed in an Active‑Passive HA pair when the ocid daemon makes all OCI API calls from the IP address of a VNIC registered on the instance.

Scope

FortiGate VM.

Solution

When the HA pair is in the primary state, the daemon binds to the IP of the management NIC (the NIC configured with set ha‑mgmt‑interface).

After a failover, the secondary unit becomes primary. The daemon re‑initialises, discovers the VNIC list of the new instance, and re‑binds to the IP address attached to the management NIC of the new primary.

• On the Primary FortiGate: The daemon logs ocid refreshing IP info of the instance. It is actively communicating with the OCI metadata service and API.

• On the Secondary FortiGate: The daemon sleeps or drops API execution; logging ocid running in secondary mode; won't update.

If the daemon is still using an IP that is not present on any VNIC of the new primary (for example, the data‑NIC address or an old cached address), OCI rejects the request.

This log entry is not an error; it is the secondary FortiGate confirming that it is currently the passive unit and is intentionally standing down to avoid conflicting with the primary unit's API calls.

Also, the floating secondary private IP is never attached to the new primary, and the SDN‑connector appears 'stuck'.

The expected behaviour, documented in the OCI SDN‑connector guide, is that the source IP of every OCI request always matches a private IP that is attached to a VNIC on the active FortiGate‑VM.

Verification commands:

get system ha      -show HA config

show system ha | grep ha‑mgmt‑interface       -show which interface is the HA‑management interface

show system sdn‑connector        - Show SDN‑connector config

diagnose test application ocid 1       - Test OCI connectivity

diagnose debug enable       - Debug source‑IP binding
diagnose debug application ocid -1

In OCI HA, the ocid daemon always uses the IP address of the NIC that has been configured as the HA‑management interface. After a failover, it rebinds to the same‑named NIC on the new primary; if the daemon ends up using any other IP, OCI will reject the request, and the floating secondary private IP will not move.

Align the HA‑management interface, attach the floating IP to that NIC, and enable HA on the SDN‑connector (preferably with IAM metadata) to obtain the expected source‑IP behaviour.

If the issue persists, contact Fortinet Support for further assistance.