Skip to main content
SurfnProtect
SurfnProtect
New Member
June 5, 2020
Question

Unable to get HA working on FortiAuthenticator VM

  • June 5, 2020
  • 2 replies
  • 3451 views

Hi there,

For some reason I'm unable to get HA cluster (HIGH/LOW) running, it cannot see it's peer. Just after I installed the license it worked for an hour and then it didn't any more.

 

Here's my config:

 

> show system ha config system ha set mode enable set interface port2 set priority low set hb-interval 10 set hb-lost-threshold 6 set mgmt-ip 10.22.61.2/255.255.255.0 set mgmt-access SSH HTTPS GUI set role cluster_mem

 

And the slony logs from HA

 

020-06-05T10:24:47.710904-04:00 scn00419 slon[3469]: [1-1] 2020-06-05 10:24:47 BOT ERROR cannot get sl_local_node_id - ERROR: relation "_fac_ha.sl_local_node_id" does not exist 2020-06-05T10:24:47.710931-04:00 scn00419 slon[3469]: [1-2] LINE 1: select last_value::int4 from "_fac_ha".sl_local_node_id 2020-06-05T10:24:47.710935-04:00 scn00419 slon[3469]: [1-3] ^ 2020-06-05T10:24:47.710938-04:00 scn00419 slon[3469]: [2-1] 2020-06-05 10:24:47 BOT FATAL main: Node is not initialized properly - sleep 10s

 

Strange thing is in vSphere when I list my IP addresses:

 

[ul]
  • 10.22.57.4
  • 169.254.0.2 (port 2 for HA should be 10. address)
  • xxx.xxx.18.210
  • fe80::250:56ff:fe81:3211
  • fe80::250:56ff:fe81:d342[/ul]

    Anyone troubleshooting? Tried different port for HA and latest update for FortiAuthenticator. vSphere is on Version 6...Any help would be thankful!

      • 2 replies

      roms
      roms
      New Member
      March 11, 2022

      Hello,

       

      Got quite the same behaviour.

      HA is flapping very often.

      And I can see also 169.254.x.x IP addresses for UDP heartbeats when I run a tcpdump insteaf of 10.x.x.x IP addresses assigned to port2

      Did you resolve?

       

       

      Debbie_FTNT
      Staff & Editor
      Debbie_FTNT
      Staff & Editor
      March 14, 2022

      Hey roms,

      the 169.254.x.x IP adresses are expected - FortiAuthenticator units build a tunnel between them and use those 169.254.x.x IPs for that.

      Regarding your cluster flapping a lot, I would suggest to check the following:

      - what firmware is your FortiAuthenticator? If not the newest, you could consider upgrading

      - does your FortiAuthenticator cluster share the HA link with any other traffic that could cause delays/packet loss?

      - if you are using the default HA timers (interval of 1000 ms and a tolerance of six missed heartbeats), you could consider increasing them to see if that helps a bit; it makes the ha link more resistant to the occasional packet loss but also means failover will take a bit longer to be initiated

      roms
      roms
      New Member
      March 17, 2022

      Hi Debbie,

      Thanks for the input regarding the 169.245.x.x interface (good to know)

      We are running 6.4.1. The 2 VM hav the dedicated HA link plugged on a separate network with only few servers (2-3).

      I think we are going to play a little with the timers. From what we can see the failover occures 2.3 times a day

       

      Terms & ConditionsCookie settingsAccessibility statement