Fortigate 100f Active-Passive HA not working as expected

Hi,

Can you confirm what layer 2 switches you are using stack switch or separate switch.

side by side can you confirm those interfaces are getting monitered. 

How are switch1 and Switch 2 connected?

From where are you testing/initiating traffic?

When you disconnect cable from the active node, is there a failover due to monitored interface going down?

Before you hook up one switch to both HAed FGTs, what do you see in "get sys ha status"? Please share us the key parts of the output.

<edit>I mean on both FGTs.</edit>

Toshi

In an Active-Passive High Availability (HA) setup with FortiGate firewalls, only one firewall should be active at any given time, while the other remains passive, ready to take over in case of a failure. It seems like there may be a misconfiguration or issue with your HA setup. Here are a few things to consider and troubleshoot:

1. HA Configuration: Verify that you have correctly configured the firewalls for HA. Ensure that you have designated one firewall as the primary (active) unit and the other as the secondary (passive) unit. Check that the HA heartbeat interface is properly configured and connected between the firewalls.

2. HA Synchronization: Confirm that the HA synchronization is working correctly. The active unit should synchronize its configuration, policies, and session information to the passive unit. Check the HA synchronization status and logs to ensure there are no errors or discrepancies.

3. Interface Configuration: Review the interface configurations on both firewalls. Ensure that the interfaces connected to your Layer 2 switch are properly configured and assigned to the correct zones or VLANs. Verify that the interface states and link status are correct.

4. IP Address Conflict: It seems like there might be an IP address conflict when you connect both firewalls to the switch. Check the IP address assignments for the interfaces on each firewall. Ensure that there are no duplicate IP addresses or overlapping subnets. Each firewall should have unique IP addresses assigned to its interfaces.

5. Switch Configuration: Review the configuration of the Layer 2 switch. Ensure that it is not causing any issues with the firewall connectivity or creating a loop in the network. Check for any spanning tree protocol misconfigurations or loop prevention mechanisms that could be affecting the network.

6. Log Analysis: Check the firewall logs for any error messages, warnings, or indications of a problem. Look for any HA-related messages or network connectivity issues that could provide insight into the cause of the problem.

If you have gone through these troubleshooting steps and the issue persists, it is recommended to reach out to Fortinet support or consult with a network specialist who can further analyze your HA configuration and assist in resolving the problem.

Thanks all for the help. I figured out the problem is not really in HA, but in the Hardware Switch.
We have configured a Hardware Switch with ports 5, 6, 7 and 8.
We thought Active-Passive means 1 firewall works, and 1 is passive. But If we pull out 1 device on the active firewall, the port on the secondary firewall becomes active. So the passive firewall port takes over.

And if we put a device on both firewalls, the whole setup reacts like one big hardware switch (instead of active/passive) and we get a loop as if it is a normal switch.