Skip to main content
Sparh_Hsieh
Sparh_Hsieh
New Member
December 18, 2017
Question

Will this HA scenario working properly?

  • December 18, 2017
  • 2 replies
  • 14565 views

Hi Experts,

 

Our company is building a new environment for our customer and we are using two Fortigate 100D(s) for L3 High Availability and two L2 switches which running MLAG(Cisco concept = VPC) mechanism. Definitely, the server is connecting to those two switches by using LACP mode. So, the topology will like following diagram:

 

Those two 100D are running Active-Standby mode and my question is, In case of SW-A failure(shutdown, link down between SW-A & Active Fortigate 100D)

 

Will the traffic path like

Server --> SW-B --> Standby Fortigate 100D --HA link--> Active Fortigate 100D --> uplink network (Internet)?

 

Are there specific conditions I need to carefully. 

 

2 replies

Sparh_Hsieh
Sparh_HsiehAuthor
New Member
December 18, 2017

Just update some assumption from my knowledge, Maybe somebody can provide any tips to me.

 

I knew that I have to configure Monitor Port function for both Fortigate 100D devices. Thus, if SW-A is down, Active 100D will detect the Monitor Port is down, and then the HA mechanism will make the standby status as Active.

 

So, my first question is solved by this mechanism. Is it right?

However, anyone have any suggestions is welcome.

 

Thank you!

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 18, 2017

HA link is just management interface including heartbeat and forwarding config changes from the active to the standby. You can see all converstaion when you run "diag debug app hatalk -1". No user traffic would go through HA link.

And standby is standby, not processing user traffic actively while it's in standby. If you want to HA to swap-over when a link goes down, you should monitor the link in the HA config. However, if you've set up LACP with two stacked switches, even if one physical link goes down from SW-A, the active unit can still operate through another link with SW-B. So I would just monitor the aggregated link.

Sparh_Hsieh
Sparh_HsiehAuthor
New Member
December 19, 2017

toshiesumi wrote:

However, if you've set up LACP with two stacked switches, even if one physical link goes down from SW-A, the active unit can still operate through another link with SW-B. So I would just monitor the aggregated link.

 

Thank you for your answer Toshi, I still a little bit confused about if we don't have LACP with two stacked switches for uplink path, just only one link connect to upper Fortigate 100D. Is it fine?

The topology is like what I posted in original thread.

 

 

 

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 26, 2017

This is an exmaple at our office with two 60Ds. If "lan-side" interface goes down, they would swap-over and the standby 60D would take over.

 

config system ha     set group-id 254     set group-name "office-ha"     set mode a-p     set hbdev "dmz" 0     set session-pickup enable     set override disable     set monitor "lan-side" "wan-side" end

Sparh_Hsieh
Sparh_HsiehAuthor
New Member
January 2, 2018

Hi Toshi & Mike,

 

First of all, thank you for your answer over all. Just update the latest information of our implementation.

After discuss the MLAG mechanism with switch's vendor, the data traffic can pass by this "MLAG peer-link"

Thus, we still use only 1 ethernet cable between switch and FG, there is no LACP interface.

Topology as following:

 

We monitor WAN1 interface & port 13 interface, once Active FG failure and Backup FG transforms to Active status, the data traffic still goes through by switch(right side) --> Backup FG(Active status) --> Internet

 

Here are my HA configuration setting from Active FG(left side):

config system ha set group-name "****" set mode a-p set password ENC **** set session-pickup enable set session-pickup-connectionless enable set override enable set priority 200 set monitor "port11" "port13" "wan1" end

 

Just let you know that and thank you for your help.

 

Terms & ConditionsAccessibility statement