| Solution | - One of the conditions to establish the HA between 2 FortiGates is to have the same Group name. The Group name is case-sensitive. Hence mismatching the group name will not bring the HA connection up due to which the user may experience a split-brain scenario.
- For an example below is the HA configuration from 2 FortiGate devices. Even though the Group names are the same they are not in the same in terms of letter case.
chameleon-kvm183 # show system ha
config system ha
set group-id 100
set group-name "SAmple"
set mode a-p
set hbdev "port2" 0
set override disable
end
chameleon-kvm182 # show system ha
config system ha
set group-id 100
set group-name "Sample"
set mode a-p
set hbdev "port2" 0
set override disable
end
- The HA status output from both devices shows that each device considers itself as master which leads to a split-brain scenario.
chameleon-kvm182 # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: Sample
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 0h:1m:21s
Cluster state change time: 2024-12-11 22:08:06
Primary selected using:
<2024/12/11 22:08:06> vcluster-1: xxxxxxxxxxxxxxxxxxx is selected as the primary because it's the only member in the cluster.
<2024/12/11 22:07:55> vcluster-1: xxxxxxxxxxxxxxxxxxx is selected as the primary because it's the only member in the cluster.
ses_pickup: disable
override: disable
System Usage stats:
xxxxxxxxxxxxxxxxxxx(updated 4 seconds ago):
sessions=18, average-cpu-user/nice/system/idle=2%/0%/2%/96%, memory=47%
HBDEV stats:
xxxxxxxxxxxxxxxxxxx(updated 4 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=117746/273/0/0, tx=179429/445/0/0
number of member: 1
chameleon-kvm182, xxxxxxxxxxxxxxxxxxx, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: xxxxxxxxxxxxxxxxxxx, HA operating index = 0 chameleon-kvm183 # get system ha status
HA Health Status: OK
Model: FortiGate-VM64-KVM
Mode: HA A-P
Group Name: SAmple
Group ID: 100
Debug: 0
Cluster Uptime: 0 days 0h:1m:41s
Cluster state change time: 2024-12-11 22:08:19
Primary selected using:
<2024/12/11 22:08:19> vcluster-1: yyyyyyyyyyyyyyyyyyy is selected as the primary because it's the only member in the cluster.
ses_pickup: disable
override: disable
System Usage stats:
yyyyyyyyyyyyyyyyyyy(updated 0 seconds ago):
sessions=17, average-cpu-user/nice/system/idle=3%/0%/3%/93%, memory=47%
HBDEV stats:
yyyyyyyyyyyyyyyyyyy(updated 0 seconds ago):
port2: physical/10000full, up, rx-bytes/packets/dropped/errors=278891/641/0/0, tx=229816/556/0/0
number of member: 1
chameleon-kvm183, yyyyyyyyyyyyyyyyyyy, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: yyyyyyyyyyyyyyyyyyy, HA operating index = 0 - For this issue, debugging the 'talk' process will not show any error pointing to a case mismatch of the HA Group name.
chameleon-kvm182 # diagnose debug console timestamp enable chameleon-kvm182 # diagnose debug application hatalk -1
Debug messages will be on for 30 minutes. chameleon-kvm182 # diagnose debug enable
chameleon-kvm182 # 2024-12-11 22:17:08 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984228
2024-12-11 22:17:18 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984238
2024-12-11 22:17:28 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984248
2024-12-11 22:17:38 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984258
2024-12-11 22:17:48 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984268
2024-12-11 22:17:58 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984278
2024-12-11 22:18:08 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1733983686/1733984288 - Users have to manually verify the letter case in the Group Name matches between the 2 nodes of the FortiGate.
- Users can also take a packet capture on the Heartbeat interface to verify the information exchanged between the devices to understand what info is sent by each device.
- Below is an example of a packet capture on the HB interface.
|
