Description
This article describes the scope of a FortiAuthenticator HA cluster.
Scope
FortiAuthenticator.
Solution
FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.
The following prerequisites must be achieved:
- Two FortiAuthenticator devices of the same model and platform.
- Both devices must run the same firmware version.
- All HA participants must have a valid license.
Active/Passive:
- One device operates in the primary role while the other operates as a backup in standby mode.
- The backup device monitors the primary through an HA interface.
- L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
- Failover takes 30 seconds. Authentications required during the failover are lost.
- Administrative access to the secondary device is achieved with a unique IP address. This access is required in order to change HA settings, perform a firmware upgrade or perform troubleshooting.
- To access the HA management GUI IP of HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.
Note: Backup units cannot allow configuration changes.
Active/Active (GEO HA):
- An L3 connection is required.
- A primary cluster can backup to another cluster.
- Only the following features are synchronized on this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.
General troubleshooting methods:
- Perform # tcp dump sniffer on CLI with tcpdump, filtering port 720 UDP (heartbeat traffic).
- Look into detailed logs in FortiAuthenticator’s GUI: https://<fac_ip>/debug/slony.
- Collect report.dbg and send logs to TAC support for further analysis.
Related articles:
Technical Tip: How to configure FortiAuthenticator HA A-P cluster.
