FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
lmarinovic
Staff
Staff
Article Id 191494

Description

 

This article describes the scope of a FortiAuthenticator HA cluster.

 

Scope

 

FortiAuthenticator.


Solution

 

FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.

The following prerequisites must be achieved:


- Two FortiAuthenticator devices of the same model and platform.
- Both devices must run the same firmware version.

- All HA participants must have a valid license.


Active/Passive:

- One device operates in the primary role while the other operates as a backup in standby mode.
- The backup device monitors the primary through an HA interface.
- L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
- Failover takes 30 seconds. Authentications required during the failover are lost.
- Administrative access to the secondary device is achieved with a unique IP address. This access is required in order to change HA settings, perform a firmware upgrade or perform troubleshooting.

- To access the HA management GUI IP of HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.

Note: Backup units cannot allow configuration changes.


Active/Active (GEO HA):

- An L3 connection is required.
- A primary cluster can backup to another cluster.
- Only the following features are synchronized on this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.

General troubleshooting methods:

- Perform # tcp dump sniffer on CLI with tcpdump, filtering port 720 UDP (heartbeat traffic).
- Look into detailed logs in FortiAuthenticator’s GUI: https://<fac_ip>/debug/slony.
- Collect report.dbg and send logs to TAC support for further analysis.

Related articles:

Technical Tip: How to configure FortiAuthenticator HA A-P cluster.

Contributors