Skip to main content
Carl_Wallmark
Carl_Wallmark
New Member
July 17, 2007
Question

Experience with Fortigate HA and HP Procurve switches?

  • July 17, 2007
  • 13 replies
  • 6003 views
Hi, I have 2 FG 200A set up in a HA and with alot of VLANS, Does anyone have any experience with HP Procurve (2600) switches and trunking between FG and Switches, i´m having a bit problem with how to configure trunking on the switch, its working when i have Trunk1 to one of my FG and Trunk2 to the other but not when Trunk1 is connected to both. Is there anyone who have a working setup like this ??

    13 replies

    UkWizard
    UkWizard
    New Member
    July 17, 2007
    ensure you are using 802.1q trunking method and that the trunked port to the fortinet is configured (tagged) for all the trunks you want to see at the fortinet end. Should work, have not personally done it with procurves though, but doubt its undoable.
    Carl_Wallmark
    Carl_WallmarkAuthor
    New Member
    July 18, 2007
    my setup is like this: FG1 -----Trunk1-----> HP Switch | -- HA Cluster FG2 -----Trunk2-----> Same HP Switch This way it works, but if a do like this: FG1 -----Trunk1-----> HP Switch | -- HA Cluster FG2 -----Trunk1-----> Same HP Switch Then it fails. Should i use Spanning Tree ?? (STP, RSTP, MSTP) Thanks!
    doshbass
    doshbass
    New Member
    July 18, 2007
    Actually, from the description, I would have expected scenario 1 not to work and scenario 2 to work. In an HA environment, you should not have to setup spanning tree Can you be more precise about what exactly fails? Fortinet and ProCurve are strategically alligned, therefore you should be able to get help from either procurve or Fortinet support for the entire issue. Having sid that the alliance is only about 6 months old, so they may be catching up with each other' s products.
    UkWizard
    UkWizard
    New Member
    July 18, 2007
    I agree with doshbass, i would of expected the latter to work. However, what mode is the cluster in? as this would probably affect the setup.
    Carl_Wallmark
    Carl_WallmarkAuthor
    New Member
    July 18, 2007
    i will loose contact with my cluster if a use scenario 2, i seems like the procurve switch gets confused. If i turn off one of the FG´s it starts to work again. So my solution was to make 2 different trunk ports instead of 1. But i dont think the load balance will work because the switch is only using one of the trunk ports, and holding the other port in " stand by" mode. so thats why i wondered if someone had som experience with HP Procurve switches =)
    Carl_Wallmark
    Carl_WallmarkAuthor
    New Member
    July 18, 2007
    right now i´m using Active-Passive, only because load balancing is not working as i expected, but i would like to run in Active-Active mode.
    UkWizard
    UkWizard
    New Member
    July 18, 2007
    Sounds like you have spanning tree on, turn it off. If i remember correctly the two units would share the same IP and virtual MAC, thus STP would break this.
    Carl_Wallmark
    Carl_WallmarkAuthor
    New Member
    July 18, 2007
    how will the procurve switch handle the same MAC on two different ports ?? Will it not get confused ??
    doshbass
    doshbass
    New Member
    July 18, 2007
    The MAC jumps from old master to new master so will not appear on two switches. However if you turn on spanning tree on teh switches one switch will effectivly block teh Master from seeing its slave
    Carl_Wallmark
    Carl_WallmarkAuthor
    New Member
    July 19, 2007
    i called HP yesterday and they said that it would be impossible to have 2 trunks (same trunk) to one device, i don´t know if he know what he was talking about, but this can´t be right ??? can it ?
    UkWizard
    UkWizard
    New Member
    July 19, 2007
    Selective - I think the key to that answer is the fact you said " one device" . as this implies you are trying to get two trunks to a single unit. You are now really, its two units. so i would of expected it too work somehow. doshbass - not sure what you mean, as he has one switch, not two. and the clustered pair of fortinets would have numerous heartbeat interfaces anyway, outside of the internal network. that raises a good point though? Selective - how have you got the heartbeat set? do you have a dedicated cable between the two units as well? in a HA cluster you ideally need one, that should be the primary heartbeat, with another interface as the secondary heartbeat. let us know how you have this configured, even if its a screenshot of the HA settings page.
    Show more replies
    Terms & ConditionsAccessibility statement