Description |
This article outlines best practices for upgrading FortiAuthenticator clusters configured in load-balancing mode. |
Scope |
FortiAuthenticator Cluster Load-Balancing. |
Solution |
This article outlines best practices for upgrading a FortiAuthenticator cluster operating in Load-Balancing Mode. Unlike Active-Passive Clusters, Load-Balancing Mode does not support a Coordinated Upgrade process. Therefore, the upgrade must be performed individually for each participating node. If a standalone node includes Active-Passive members, a Coordinated Upgrade might still be possible for that specific configuration.
Common Load-Balancing Scenarios: The following scenarios are typical in Load-Balancing Mode deployments:
Recommended upgrade approach:
For clusters operating in Load-Balancing Mode, the recommended best practice is to start with the Standalone Node or the Standalone (Active-Passive) Cluster. Once the primary node upgrade is successfully completed, all services running on the FortiAuthenticator should be tested to ensure they function correctly with the new release. Upon successful verification, proceed with upgrading the Load-Balancer Nodes. Services to Test: Authentication, LDAP, RADIUS, SAML, Multi-Factor Authentication, Portals, FSSO, and any other services running on the node.
Below is an example of a Load-Balancing Cluster upgrade from 6.5.3 to 6.5.6 GA:
Ensure the cluster is in a Healthy State, all nodes are Connected, and status indicators are Green. Record the Serial Numbers of the nodes participating in the cluster. For Virtual Nodes, take a snapshot of the virtual machines to facilitate rollback if needed. Verify the Upgrade Path and System Requirements using the Fortinet Official Guide.
Standalone Node Status connected to the Load-Balancer Node.
Load-Balancer Node Status connected to the Standalone Node:
Access the Primary (Standalone Node) and navigate to Administration -> Firmware Upgrade. Select the firmware file downloaded from the Fortinet Portal for the upgrade.
After upgrading the Standalone Node, verify the status of all services running on the node and confirm that they are functioning correctly with the new release. Navigate to Dashboard -> HA Status: the Load-Balancer Node should appear as Connected, but the Heartbeat will no longer be recorded.
In the Debug Logs of the Primary Node (accessible at https://<FortiAuthenticator-IP>/debug), navigate to High Availability -> Load Balancing. There should be received messages indicating the setup of the OpenVPN Tunnel.
2024-12-16-08:50:55 LB Primary is starting 2024-12-16-08:52:14 Received JOIN request from # 3, setup openvpn tunnel 2024-12-16-08:52:34 Received JOIN request from # 3, setup openvpn tunnel 2024-12-16-08:52:54 Received JOIN request from # 3, setup openvpn tunnel
On the Load-Balancer Node, HA-Status should have a message showing a 'Version Mismatch' and the Heartbeat should be lost as well.
On the Debug Logs, a Schema Mismatch should be visible and tear down the OpenVPN tunnel.
2024-12-16-08:52:12 Loadbalancer: tunnel #1 has timed out (210 seconds) - tear down vpn tunnel 2024-12-16-08:52:12 Loadbalancer: destroy tunnel #1, pid=10028 2024-12-16-08:55:32 Join_ack: HA schema mismatch. 2024-12-16-08:55:52 Loadbalancer: Send join request to #1 2024-12-16-08:55:52 Loadbalancer: received join ack from #1 2024-12-16-08:55:52 Join_ack: HA schema mismatch.
If the services on the Standalone upgraded node are functioning correctly, proceed with the upgrade of the Load Balancer Node. Once completed, ensure that all components are healthy and in sync.
Debug Logs from the primary node should show that the Load-Balancer node joined the cluster:
2024-12-16-09:06:50 Received JOIN request from # 3, setup openvpn tunnel 2024-12-16-09:06:58 LB device FAC-VMTXXXXXX has joined the HA cluster from 10.191.20.187
Debug Logs from the Load-Balancer should show the OpenVPN tunnel as UP, as well as the PID:
2024-12-16-09:06:48 Loadbalancer: Send join request to #1 2024-12-16-09:06:48 Loadbalancer: received join ack from #1 2024-12-16-09:06:48 Loadbalancer: setup openVPN tunnel #1, pid=3199
Note: If issues arise with syncing objects after the upgrade, try recalculating the checksums from the Standalone Node. For further guidance, refer to Technical Tip: How to configure FortiAuthenticator load-balancing cluster. If the issue persists, submit a ticket with Fortinet Technical Support. |