Technical Tip: HA management interface connectivity setup for Active-Passive mode
Description
This article explains and provides a configuration example pertaining to HA management interface setup.
Typical example of HA Active-Passive setup with HA reserved management interface setup.
For more information on configuring HA reserved management interface setup, see the Reserved Management Interface in the FortiWeb Administration Guide.
CLI commands on Primary and Secondary:
config system ha
set mode active-passive
set group-id 8
set group-name ha-fv-group
set hbdev port2
set ha-mgmt-status enable
set ha-mgmt-interface port1
end
Choose the correct management interface.
Only one default route is allowed on FortiWeb. Adding another default route confuses attempts to route HA management traffic via the expected path.
Note:
By design, only one default route (the static route with destination as 0.0.0.0/0) is allowed on FortiWeb.
For example, if a default route is configured in System -> Network -> Route, then it is not allowed to configure another default route in HA route settings.
Thus, connectivity to the HA management interface often breaks due to route configuration. More information about how HA static routes and policy routes behave. Refer to this document: HA static route and policy route.
For example, if a default route is configured in System -> Network -> Route, then it is not allowed to configure another default route in HA route settings.
Thus, connectivity to the HA management interface often breaks due to route configuration. More information about how HA static routes and policy routes behave. Refer to this document: HA static route and policy route.
Scope
FortiWeb.
Solution
Based on a typical HA active-passive setup topology, with below 2 use-cases solution should meet the case requirement to route HA management traffic via the expected path.
Refer to below 2 possible solutions below:
Scenario 1:
The client (Admin Users) network comes from an unknown network:
The unknown network means client connections may come from 10.10.10.x and the internet.
From the CLI:
config system ha-mgmt-router-policy
edit 1
set src 172.10.10.2/32
set gateway 172.10.10.254
set oif port1
next
end
Note: Ensure the incoming interface is set to 'any' for the policy route to function correctly.
From the GUI:
Access System -> High Availability -> Settings, then select HA Policy Route. After that, select Create New:
In the HA Policy Route configuration, set up the configuration as appropriate for the scenario:
Traffic matching the source IP (management interface IP address) will be sent via the outgoing interface PORT1 towards the specified gateway regardless of the client source IP address.
Despite the destination stating any destination (0.0.0.0/0), due to the restriction of the source IP, it will not conflict with other routes.
Replace the source address, outgoing interface, and gateway address according to the necessary environment setup.
Verification steps:
Conduct a sniffer trace to determine connectivity to the HA management interface.
The following example sniffer capture indicates HA management traffic returns appropriately to the HA policy route.
The following example sniffer capture indicates HA management traffic returns appropriately to the HA policy route.
diagnose network sniffer any 'host 172.10.10.1' 4
filters=[host 172.10.10.1]
interface=[port1]
9.374762 10.10.10.7.51131 -> 172.10.10.1.443: syn 1836135939
interface=[port1]
9.374775 172.10.10.1.443 -> 10.10.10.7.51131: syn 171024616 ack 1836135940
interface=[port1]
9.376389 10.10.10.7.51131 -> 172.10.10.1.443: ack 171024617
Scenario 2:
The client (admin users) network comes from a known network:
The known network means that the client connection will only come from 10.10.10.x: either option will work, depending on the environment setup.
The known network means that the client connection will only come from 10.10.10.x: either option will work, depending on the environment setup.
If traffic needs to match the source IP, use option A.
Option A:
Option A:
From the CLI:
config system ha-mgmt-router-policy
edit 1
set src 172.10.10.2/32
set dst 10.10.10.0/24
set gateway 172.10.10.254
set oif port1
next
end
edit 1
set src 172.10.10.2/32
set dst 10.10.10.0/24
set gateway 172.10.10.254
set oif port1
next
end
Note: Ensure the incoming interface is set to 'any' for the policy route to function correctly.
From the GUI:
Access System -> High Availability -> Settings, then select HA Policy Route. After that, select Create New:
In the HA Policy Route configuration, set up the configuration as appropriate:
If traffic does not need to match the source IP, use option B.
Option B:
From the CLI:
Option B:
From the CLI:
config system ha-mgmt-router-static
edit 1
set dst 10.10.10.0/24
set gateway 172.10.10.254
set device port1
next
end
edit 1
set dst 10.10.10.0/24
set gateway 172.10.10.254
set device port1
next
end
Note: Ensure the incoming interface is set to 'any' for the policy route to function correctly.
From the GUI:
Access to System -> High Availability -> Settings, then select HA Static Route. After that, select Create New:
In the HA Static Route configuration, set up the configuration as appropriate:
Traffic matching the source IP (management interface IP address) and destination IP will be sent via the outgoing interface Port1 towards the specified gateway.
Due to the restriction of source IP, it will only work with traffic that matches both criteria and will not conflict with other routes.
Alternatively, if no source IP match is required, option B will suffice.
Replace the source address, destination address, outgoing interface, and gateway address according to the necessary environment setup.
Replace the source address, destination address, outgoing interface, and gateway address according to the necessary environment setup.
Verification Steps.
Conduct a sniffer trace to determine connectivity destined to the HA management interface respond accordingly.
The following example sniffer capture indicates HA management traffic returns accordingly to the HA policy or HA static route.
The following example sniffer capture indicates HA management traffic returns accordingly to the HA policy or HA static route.
diagnose network sniffer any 'host 172.10.10.2' 4
filters=[host 172.10.10.2]
interface=[port1]
3.373251 10.10.10.7.51211 -> 172.10.10.2.443: syn 560192458
interface=[port1]
3.373261 172.10.10.2.443 -> 10.10.10.7.51211: syn 2110820095 ack 560192459
interface=[port1]
3.374993 10.10.10.7.51211 -> 172.10.10.2.443: ack 2110820096
Information on how to run sniffer capture: