FortiGate Active-Standby Cluster - Seperate Management IP addess

Thanks Jeff!!!

il get a change scheduled and test this out.

Jeff_FTNT wrote:

You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.

Config sys ha

set ha-mgmt-status     enable set ha-mgmt-interface   xx set ha-mgmt-interface-gateway x.x.x.x

end

Jeff_FTNT wrote:

Hi Fullmoon,

HA have a option:set uninterruptable-upgrade {disable | enable}

You may try it in LAB with "set uninterruptable-upgrade enable". Before upgrade, it is better to back up setting.

For FSSO, no need any change, the user information will get from Windows AD server after upgrade. Hope it have some help, thanks.

I Jeff thank you for your reply. I guess by default "set uninterruptable-upgrade" was set to Enable. In my lab tried to upgrade my HA A-A couple of times with same effect.

Pls correct me if Im wrong if these procedure are correct, In my lab, updating my HA A-A thru GUI and to get a better picture whats going on behind my slave unit connect my console cable and seems updating works fine,I had a computer continuesly pinging to fortigate local ip and www.yahoo.com to check if theres any lose or rto's. Wait for a couple of minutes, then upgrade the firmware of the Master unit thru GUI, heres what I found out, seems Slave unit takes time to kick-in while the Master unit is the process of firmware upgrade. And I got 5-10 rto's before everything backs to normal.

Heres my HA settings for better picture

system hagroup-id : 0 group-name : FGT-HA mode : a-a password : * hbdev : "internal1" 50 session-sync-dev : route-ttl : 10 route-wait : 0 route-hold : 10 sync-config : enable encryption : disable authentication : disable hb-interval : 2 hb-lost-threshold : 6 helo-holddown : 20 arps : 5 arps-interval : 8 session-pickup : enable session-pickup-connectionless: disable session-pickup-delay: disable update-all-session-timer: disable session-sync-daemon-number: 1 link-failed-signal : disable uninterruptable-upgrade: enable ha-mgmt-status : enable ha-mgmt-interface : internal5 ha-mgmt-interface-gateway: 0.0.0.0 ha-eth-type : 8890 hc-eth-type : 8891 l2ep-eth-type : 8893 ha-uptime-diff-margin: 300 vcluster2 : disable vcluster-id : 1 override : disable priority : 128 schedule : round-robin monitor : "internal4" "wan1" pingserver-monitor-interface: pingserver-failover-threshold: 0 pingserver-flip-timeout: 60 vdom : "root" load-balance-all : disable

Hi Jeff

The working mechanism of 'uninterruptable-upgrade' if ENABLED is as follows - I log into the webgui  - the webgui will show me the master  - I uploaded the firmware to the master  - the master will transfer the firmware to the slave using the heartbeat cable  - the slave will perform the firmware upgrade first  - during the slave upgrade, there will be no downtime because the master is still up  - when the slave is up,---------- The Master Unit didnt perform firmware upgrade this is the portion where I am lost. I can't comprehend why my Master unit didn't performing firmware upgrade. After the Slave successfully upgraded and totally UP, I waited for almost 10 mins or more to check what would happen next but it seems in GUI Master didn't initiate firmware upgrade until i forced to upload manually the firmware to Master unit. Can you spot my error why my Master didn't update its firmware after Slave successfully updated?

thanks

Hi Jeff,

heres the outcome. thank you

diagnose sys ha showcsum 

is_manage_master()=1, is_root_master()=1

debugzone

global: 1b 2f 63 20 de 0b 2f 53 5c 73 b6 05 7a 52 ef d9 

root: 78 02 f6 24 d1 d0 df 50 10 4c a2 84 d3 0f d2 a6 

all: d9 b0 e0 10 5b 63 f5 e8 11 a4 9f b3 86 26 02 ba 

checksum

global: 1b 2f 63 20 de 0b 2f 53 5c 73 b6 05 7a 52 ef d9 

root: 78 02 f6 24 d1 d0 df 50 10 4c a2 84 d3 0f d2 a6 

all: d9 b0 e0 10 5b 63 f5 e8 11 a4 9f b3 86 26 02 ba 

hi Jeff, my HA is now working. From ver 4.0 MR3 P18 I jumped in to Ver 5.0.4 not 5.0.0. Im not quite sure why 5.0.0 is not working well in HA firmware upgarde.

Additional verification do I need to perform the same action if Im going to upgrade HA in A-P mode? Thanks

I have done:

set ha-mgmt-status     enable  set ha-mgmt-interface   xx  set ha-mgmt-interface-gateway x.x.x.x

but now I see that HA synchronises mgmt IP's 

so now both nodes have the same mgmt IP and now I even can manage none of the nodes via network. not even in the segment itself! 

how can I make sure he does not sync the IP address!