Skip to main content
Lucky-Cement
Lucky-Cement
New Member
July 18, 2025
Question

Fortigate firewall HA switchover causing delay

  • July 18, 2025
  • 7 replies
  • 2970 views

I have fortigate firewall acting as wifi controller as well, my issue here is that when I perform manual HA failover or upgrade the firewall, switchover is not seamless and it take at least 5 minutes to switch services for secondary unit. configuration is active passive

7 replies

esalija
Staff
esalija
Staff
July 18, 2025

Dear @Lucky-Cement 

Please verify that the `session-pickup` is enabled in the HA configuration. This ensures that existing sessions are synced and persist upon failover.
- Confirm that the primary FortiGate has a higher priority than the secondary.
- Ensure that the `override` setting is configured correctly to allow preemptive failover and fallback.
- Check the heartbeat interface connections between the primary and secondary units to ensure they are stable and functioning correctly.
- Review the system logs for any errors or warnings that might indicate issues during the failover process.
- Perform a manual failover test to observe the behaviour and identify any specific delays or issues.

 

Best regards,

Erlin

    Lucky-Cement
    Lucky-CementAuthor
    New Member
    July 18, 2025

    hi,

     

    - session-pickup is enabled

    - priority is set right (higher for primary)

    - kindly explain the "override" settings

    - heartbeat interface is working correctly

    - warning that I saw is system rebooted, what else to find?

    - have done it with same result. 

    esalija
    Staff
    esalija
    Staff
    July 21, 2025

    HI @Lucky-Cement 

     

    When configuring FortiGate High Availability (HA) settings, the "override" feature plays a crucial role in determining the primary unit within an HA cluster.
    Here's an explanation of the "override" settings and additional steps you can take given the warning you encountered:

    1. Override Settings:
    - Override Disabled: When the override feature is disabled, the primary unit selection is based on the robustness of the system rather than the configured priority.
    This means that even if a unit has a higher priority, it may not become the primary if another unit is deemed more robust.
    - Override Enabled: When enabled, the unit with the highest priority will always be selected as the primary, regardless of the system's robustness.

    2. System Reboot Warning:
    - If you received a warning that the system rebooted, it is essential to investigate the cause of the reboot. Here are some steps you can take:
    - Check System Logs: Review the system logs for any error messages or events leading up to the reboot.
    - Monitor Resource Usage: Ensure that CPU and memory usage are within normal limits, as resource exhaustion can lead to reboots.
    - Inspect Hardware: Verify that there are no hardware issues, such as faulty components or overheating.
    - Check HA Events Logs.

    Best regards,
    Erlin

      HarryTran
      Staff
      HarryTran
      Staff
      July 18, 2025

      May I know what the Fortigate model and its version are ?

        Lucky-Cement
        Lucky-CementAuthor
        New Member
        July 23, 2025

        override is disabled as I have configured priorities on firewalls, I have enabled/disabled session pickup but result is same, firewall is 201F firmware is 7.4.7

        no any hardware or software issues or errors

        HarryTran
        Staff
        HarryTran
        Staff
        July 23, 2025

        Thanks for your infor @Lucky-Cement 
        I will conduct a test.

        Lucky-Cement
        Lucky-CementAuthor
        New Member
        July 26, 2025

        any update on the test?

         

        filiaks1
        filiaks1
        Explorer III
        July 26, 2025

        Have you done some debugging or tcpdumps as maybe there is ha heartbeats lost etc?

         

        How to troubleshoot HA 'Heartbeat pac... - Fortinet Community

         

         

        Also if GARP is lost because there are switches or other network devices blocking this could be an issue.

         

        How gratuitous ARP behaves on FGCP HA fai... - Fortinet Community

        filiaks1
        filiaks1
        Explorer III
        July 28, 2025

        @Lucky-Cement  Also see VRRP virtual MACs | FortiGate / FortiOS 7.6.2 | Fortinet Document Library as having Virtual MAC could help.

         

        -----

         

        If the VRRP virtual MAC address feature is disabled (the default setting), the VRRP domain uses the MAC address of the primary router. On a FortiGate VRRP virtual router, this is the MAC address of the FortiGate interface that the VRRP router is added to. If the primary fails, when the new primary takes over, it sends gratuitous ARPs to associate the VRRP router IP address with the MAC address of the new primary (or the FortiGate interface that became the new primary).

        When a VRRP virtual MAC address is enabled, the new primary uses the same MAC address as the old primary.

        Since devices on the LAN do not have to learn a new MAC address for a new VRRP router in the event of a failover, this feature can improve network efficiency, especially in large and complex networks.

         

        ---------

        Lucky-Cement
        Lucky-CementAuthor
        New Member
        July 28, 2025

        thanks for your response,

        I am using dt-lacp on the interfaces on core switch, interface on firewall is 802.3ad Aggregate and no vrrp configuration done specifically.

        I have firewalls in other segments as well and all are connected with core switch, only the firewall in question has this behavior, others are switch HA absolutely fine.

         

        jiahoong112
        Staff
        jiahoong112
        Staff
        August 1, 2025

        Enabling session-pickup on connectionless protocols can help (udp, icmp): https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/955521/session-pickup 

        Terms & ConditionsAccessibility statement