Technical Tip: Cannot connect to Secondary Server Configuration Wizard when shared IP is used
Description
This article describes that it is possible that 'Configuration Wizard' may not be accessible on a secondary server in a High Availability pair with a shared IP address.
This is due to how the /etc/hosts file is configured depending upon the appliance configuration.
/etc/hosts file shared IP entry when managed by a Control Manager:
<shared IP> <shared FQDN> <shared short name> cm
/etc/hosts file shared IP entry when not managed by a Control Manager:
<shared IP> <shared FQDN> <shared short name> nac
Secondary Server appliances where 'NAC' appears on the shared IP entry will not be accessible by default.
Scope
Version: 8.x - 9.2
Solution
Information is also available in the High Availability Reference manual in the Fortinet Document Library.
Temporarily modify the /etc/hosts file to access the appliance.
- Login to the Secondary Server CLI as root and modify /etc/hosts.
- Remove the 'NAC' entry from the shared IP entry. This will enable the secondary server IP address to be accessible.
Example:
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name>
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name>
- Restart the web service. Type
service tomcat-admin restart
- Access the Secondary Server Configuration Wizard using the following URL
https://<Secondary Server name or IP>:8443/configWizard
- Once Configuration Wizard is run, the /etc/hosts file will be auto-corrected.
Related Articles
Technical Tip: Administration UI unable to load due to name resolution
Technical Tip: Cannot access Secondary Server Configuration Wizard in 9.2