New Member

Question

HA on FortiGate-VM under Hyper-V

Forum|Forum|12 years ago
April 17, 2014
12 replies
9209 views

I' m trying to deploy an HA pair of FortiGate-VM appliances under Hyper-V. Standalone they work fine, but as soon as I change HA mode to a-p or a-a, they lose network connectivity on everything except the cluster management port(s), and the cluster never forms. Changing HA mode back to standalone instantly restores connectivity. MAC addresses don' t appear to change, ARP works, but intermittently. I tried all kinds of virtual switches and vNIC settings, but nothing seems to help. I' ve reproduced the issue using build 5.0.6 on Windows Server 2012, and 5.0.7 on Windows 8.1, different host hardware as well. Am I missing some setting that must be configured to make it work?

veechee

New Member

I don' t have a solution to your problem, rather another question. One of the appealing aspects of a virtual FGT appliance to me was that I could put it onto clustered hardware, and then not have to worry about clustering the FGTs. I am just curious if you are using clustered hardware underneath the hypervisor?

amg7

Visitor III

Hello,

The same thing is happening to me, did you find the solution?

Thanks

ozkanaltas

Esteemed Contributor III

Hello @amg7 ,

If you want to use HA on Hyper-V you need to do additional configuration.

You can review this document about Configuring HA on Hyper-V.

https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/microsoft-hyper-v-administration-guide/397100/ha

amg7

Visitor III

Hello @ozkanaltas

Do the unicast settings need to be configured?

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {Peer heartbeat interface IP address}

end

is there an additional option for these settings in hyperV?

Thanks

ozkanaltas

Esteemed Contributor III

Hello @amg7 ,

It's up to your choice. If you want to use unicast, you need to enter these commands. However, if you want to use anycast, the "Mac address spoofing" setting must be supported and turned on in the interfaces on Hyper-V.

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to support MAC address spoofing.  In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster have the same virtual MAC addresses.

amg7

Visitor III

Hello @ozkanaltas

I configured MAC address spoofing on all the Hyper-V interfaces but it is very strange I have GUI access to the secondary forti but not to the primary, the HA cluster is not established, it is as if they do not see each other. Can you think of anything?

Thanks

Regards

ozkanaltas

Esteemed Contributor III

Hello @amg7 ,

Are your HA heartbeat interfaces in the same network, right?

Also, you can try with unicast mode.

amg7

Visitor III

Yes, and I ping from one to the other. I have tried unicast and the same thing happens. I don't know what else to try

amg7

Visitor III

So I leave the HA interface configured with 0.0.0.0.0/0.0.0.0.0?

ozkanaltas

Esteemed Contributor III

If you use broadcast, you are right. You should leave 0.0.0.0.0/0.0.0.0.0.

And also you can review these documents about troubleshooting HA.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-synchronization-issue/ta-p/193422

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Note-FortiGate-HA-synchronization-messages-and/ta-p/189469

amg7

Visitor III

When I set up HA on the primary I have GUI connectivity to the primary and when I then set up HA on the secondary I lose GUI connectivity to the primary. They never synchronise....

Thank you for your help but I think this is impossible....

ozkanaltas

Esteemed Contributor III

Hello @amg7 ,

it is not impossible. I have used this before and it worked properly.

My advice is, if you have a contract you can create a case. Fortinet engineers inspect the problem deeply and will solve the problem.

amg7

Visitor III

Yes I did that too, they checked the configuration of my fortigate and in principle it was correct, they tell me it could be a HyperV problem, the only solution they gave me is to configure everything again.

ozkanaltas

Esteemed Contributor III

Btw, i found one more document about ha troubleshooting.

Can you try to collect output with these commands? With these output results, we can see whether there is a problem with Hyper-V or not.

Collect heartbeat packet captures during the 'heartbeat packet loss' issue from both the primary and secondary units, then use them to verify whether the heartbeat packets sent from the primary are received on the secondary and vice versa.  Packet capture commands:    HA Master:     diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1 2023-06-05 16:52:15.630003 ha1 out Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.698791 ha1 in Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.740012 ha1 out Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.798792 ha1 in Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.840003 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.     HA slave:     diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1 23-06-05 16:52:15.822283 ha1 out Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.863515 ha1 in Ether type 0x8890 printer hasn't been added to sniffer. 2023-06-05 16:52:15.932283 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-Heartbeat-packet-lost/ta-p/267767

amg7

Visitor III

Port3 out Ether type 0x8890 printer hasn't been added to sniffer Port3 in Ether type 0x8890 printer hasn't been added to sniffer

I get that all the time

amg7

Visitor III

Can I follow this?

https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/microsoft-hyper-v-administration-guide/397930/setting-up-fortigate-vm-ha-for-a-microsoft-hyper-v-live-migration-environment

Here if you configure IP on the HA-sync interface.

ozkanaltas

Esteemed Contributor III

If you use the Live migration feature on Hyper-V. You need to do these steps also.

amg7

Visitor III

I cannot launch this test

diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1

Will not allow me to type ' or paste into HyperV console

amg7

Visitor III

I managed to set it to Active passive but I tried to connect to the secondary and the VPN I have configured was dropped. Do you know why this could be?
Thanks

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded