Skip to main content
fjulianom
fjulianom
Explorer II
June 10, 2025
Solved

FortiGate HA active-active traffic flow doubt

  • June 10, 2025
  • 1 reply
  • 1689 views

Hi community,

 

Looking at the following post, it seems FGT-1 sends the SYN to FGT-2 through the LAN switch.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-A-A-cluster-3-way-TCP-handshake/ta-p/197467

 

In the following situation, what happens if link 1 goes down? The SYN cannot be distributed from FGT-1 to FGT-2, then does the active-active configuration stop working? If not, what happens?

 

fjulianom_0-1749561572081.png

 

Regards,

Julián

Best answer by AEK

Hi Julian

If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

1 reply

AEK
SuperUser
AEKAnswer
SuperUser
June 10, 2025

Hi Julian

If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

AEK
    fjulianom
    fjulianomAuthor
    Explorer II
    June 10, 2025

    Hi AEK,

     

    If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

    But if my client network is isolated from the rest of the world is like that active-active HA doesn't work.

     

    I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

    Good point, if primary fails-over when link 1 goes down, now the default gateway will be reachable. In that case the clients will not be isolated, but there will not be load balance because the new primary will not be able to forward packets to the new secondary through the switch because link 1 is down. Is that right?

     

    Regards,

    Julián

    AEK
    SuperUser
    AEK
    SuperUser
    June 10, 2025

    FortiGate's active-active is not like Forcepoint's.

    FGT's active-active is not a true active-active, here only one FGT (the primary) will receive the packets from client, while the secondary active will receive some offloading from primary only, but nothing from the client.

    In case your link 1 is down, if the primary doesn't fail over then your network is isolated. Once it fails over then the clients will see their gateway again through link 2.

    AEK
      Terms & ConditionsAccessibility statement