Skip to main content
Simo94
Simo94
New Member
March 19, 2025
Question

mgmt interface not accessible in HA cluster

  • March 19, 2025
  • 3 replies
  • 4442 views

hi Team,

 

HA : A-P

models : 901G

 

so I connect to the mgmt interface of the fortigate with RJ45 to setup the cluster. everything is going fine I setup the member that I'm connected to to be the primary. after the cluster is up I changed the mgmt interface ip from 192.168.1.99 to an ip of our network 10.189.1.25/29 with command :

set ip 10.189.1.25 255.255.255.248   set allowaccess https ping ssh

 

 and I also change the ip of my PC that im connected with to the mgmt interface to 10.189.1.26/29 and set the default gateway to 10.189.1.25(also tried without gateway and didnt work)

 

 so after I done so the connection was lost and I couldnt connect back. so I ran a ping from my PC and then I ran a debug flow and I only see some multicast DNS traffic 

from my PC but no ping traffic.  then I set the ip of the mgmt interface again but this time I used :

 

set management-ip 10.189.1.25 255.255.255.248

 

and the access worked again. the problem with the above command is that it is not synchronized between HA members and we want to use that mgmt interface to always be able to access the primary member in case failovers. I already setup a reserved HA management interface on each member to be able to access the members individually which works fine but we want to use the mgmt interface to always access the primary but it doesnt work.

 

config on mgmt interface :

 

config system interface edit "mgmt" set vdom "root" set ip 10.189.1.25 255.255.255.248 set allowaccess ping https ssh http set type physical set role lan set snmp-index 1 next end

 

so basically we are not able to access the mgmt interface which has its ip configured using 'set ip' command in a HA cluster.

 

one thing to note is that I reset factory one member(just to test again) without creating a cluster and I used the 'set ip' command and it worked so the command just doesnt work when it is in a cluster.

 

we have another HA cluster of 401 and the "set ip" command on the mgmt interface works fine.

 

 

 

 

 

 

 

3 replies

ebrlima
Staff
ebrlima
Staff
March 19, 2025

Hello @Simo94 

 

Did you define the gateway  in the HA configuration?

 

Please share the result of:

 

#show sys ha

#get router info kernel [this display the route for the mgmt netwok]

 

Also, you can check the guide below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/190132

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 19, 2025

In HA, mgmt port is supposed to be used for "dedicated-to" outband management interface by default. If you want to do inband management, you can either use an existing interface for user traffic or configure a VLAN interface on top of it if you want the subnet to be separated.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-dedicated-mgmt-feature-Out-of-band/ta-p/193699

Toshi


    Simo94
    Simo94Author
    New Member
    March 19, 2025

    hi Toshi,

     

    thank you for your response.

     

    we want the mgmt interface to be used as out of band while also being synced between the members so that we can always access the primary member using one IP address. we already can access the individual members using the reserved management interface on the HA with port1. we already have a cluster with 401 on which we are able to access the primary on the mgmt interface and we want to achieve the same thing with 901 but its not functioning

     

    I created a subinterface under mgmt and assigned a VLAN but it still would not work and I removed it

     

    my routing table : 

    Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.189.1.22, External, [1/0] C 10.189.1.16/29 is directly connected, Lan-Office-1951 C 10.189.1.24/29 is directly connected, mgmt

     

    as I mentioned before even if I connect my PC directly to mgmt interface and assign my PC 10.189.1.26/29 and try ping or whatever( have ping and other services enabled on that interface) it wouldn't work. but if I set the ip of mgmt interface using the command "set management-ip 10.189.1.25/29"  it works but as you know the "set management-ip" doesnt get synced between members and if a failover happens we be NOT able to access the primary member using the mgmt interface but we would access it using the reserved management interface on the HA but we don't want to do that all the time because in case of a failover we would have to figure out which member is primary by logging into the member individually using the reserved management interface (port1) and then found out which is the primary but we dont want to do that because we want to have one interface (mgmt) on which we can always access the primary no matter the failover. s o we want to have an out of band IP taht always follows the primary.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 19, 2025

    It's designed to do in opposite way. Mgmt as dedicated-to management interface, which is outside of HA sync while port1 is subject to HA sync, which both sides have the same IP. Unless you have any particular reason you HAVE TO swap roles of those two ports, I would recommend the FGT standard way, which you can find many documents talking about the management interfaces in HA. Besides, mgmt port has some limitations.

    But if the same config work on FG401x, I would think the same config works on FG901G as well unless the particular version of software on the 901G has a problem supporting the G-series hardware. I don't have any further idea.

    Toshi

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    March 19, 2025

    Hi @Simo94 ;

     

    1) You need to check whether there is an entry for the new 10.189.1.24/29 subnet;

     

    get router info routing-table all

     

    2) Run the following command to see whether your Ping traffic is hitting your interface or not:

     

    diag sniffer packet any 'icmp and host 10.189.1.26' 4

     

    Run Ping (not continuous Ping) on your client.

     

    3) Run "get sys arp" on FGT. You are supposed to see an entry with 10.189.1.26.  If not, something prevents the ARP packets between FGT and your client machine.

     

    Simo94
    Simo94Author
    New Member
    March 23, 2025

    hi Guys,

     

    thank you very much for your help.

     

     

    it turned out to be a transient issue which got resolved by restarting fortigate multiple times. now I can use the mgmt interface like a normal interface. im not really sure what causes these kind of issues but I struggled with it for days and I had to restart fortigate multiple times for it to resolved.

    Terms & ConditionsAccessibility statement