Skip to main content
luca1994
luca1994
Explorer III
May 5, 2025
Solved

Lost MGMT after configure HA A-P

  • May 5, 2025
  • 2 replies
  • 6480 views

Hello Team,

 

i have two FGT-400F.

when I configure HA in A-P mode I lose access to mgmt, or rather, I keep losing packets and sometimes I have response but then I lose them again.

HA status seems ok from cli but secondary appears out-of-sync

 

HA Health Status: OK
Model: FortiGate-400F
Mode: HA A-P
Group: 0
Debug: 0
Cluster Uptime: 0 days 0:43:2
Cluster state change time: 2025-05-05 15:12:06
Primary selected using:
<2025/05/05 15:12:06> FG4H0FTXXXXXXX is selected as the primary because it has the largest value of override priority.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Configuration Status:
FG4H0FTXXXXXXX (updated 1 seconds ago): in-sync
FG4H0FTYYYYYYY (updated 2 seconds ago): out-of-sync
System Usage stats:
FG4H0FTXXXXXXX (updated 1 seconds ago):
sessions=11, average-cpu-user/nice/system/idle=0%/0%/1%/98%, memory=20%
FG4H0FTYYYYYYY (updated 2 seconds ago):
sessions=0, average-cpu-user/nice/system/idle=0%/0%/0%/99%, memory=19%
HBDEV stats:
FG4H0FTXXXXXXX (updated 1 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=8544725/20866/0/0, tx=9549211/22088/0/0
FG4H0FT924904723(updated 2 seconds ago):
ha: physical/1000auto, up, rx-bytes/packets/dropped/errors=9547147/22081/0/0, tx=8541769/20862/0/0
Primary : FGT-1, FG4H0FT924904724, HA cluster index = 0
Secondary : FGT-2, FG4H0FT924904723, HA cluster index = 1
number of vcluster: 1
vcluster 1: work 169.254.0.1
Primary: FG4H0FTXXXXXXX , HA operating index = 0
Secondary: FG4H0FTYYYYYYY , HA operating index = 1

 

Do you have any suggestions?

Thanks for the support

BR

Best answer by luca1994

Hello,

 

unconfigure HA then execute factoryreset on the secondary member and then reconfigure HA and all work as expected.

 

Thanks to all for the support

BR

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
May 5, 2025

If you made the mgmt port for "dedicated to management", HA operation would exclude the port config from the config sync. That's why you can set different IP on mgmt for those two FGTs. This means even when they're not in sync, you should have steady access to the secondary mgmt port.

Share us the HA config in CLI under "config system ha" as well as "config system ha -> edit mgmt".

Toshi
 

    luca1994
    luca1994Author
    Explorer III
    May 5, 2025

    Hello @Toshi_Esumi ,

     

    following output from console of firewall primary

     

    config system ha
    set group-name "ClusterFGT"
    set mode a-p
    set password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    set hbdev "ha" 0
    set session-pickup enable
    set override disable
    set priority 200
    end

     

    following output from console of firewall secondary

     

    config system ha
    set group-name "ClusterFGT"
    set mode a-p
    set password XXXXXXXXXXXXXXXXXXXX
    set hbdev "ha" 0
    set session-pickup enable
    set override disable
    set priority 150
    end

     

    however, it still overwritten my MGMT conf because in secondary conf I see the same ip. I changed it but still both ips are not reachable.

     

    Thanks for the support

    BR

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 5, 2025

    You are missing this part in the HA config:
    https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-dedicated-mgmt-feature-Out-of-band/ta-p/193699

    Toshi

      luca1994
      luca1994Author
      Explorer III
      May 5, 2025

      ok thanks. the mgmt interface have dedicated-to-management enable by default. i don t change it

       

      Terms & ConditionsAccessibility statement