FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
dbu
Staff
Staff
Article Id 267707
Description

This article describes the upgrade procedure of the FortiAuthenticator HA cluster for individual nodes. 

Scope FortiAuthenticator in HA pair configured as Active-Passive Cluster. Upgrade on each FortiAuthenticator cluster member individually from GUI.
Solution

The scenario is when a coordinated upgrade fails or is not possible, what are the best practices and how to avoid split brain.

 

Here it the two Fortiauthenticators on firmware version 6.5.1 and it is wanted to upgrade them to firmware version 6.5.3:

 

up1and2.PNG

 

  1. Connect to the FortiAuthenticator Active unit and start the firmware upgrade.
    System > Administration > Firmware Upgrade. Select Upload a file to upload the new firmware image and then select OK.

upgrade2.PNG

 

  1. The following confirmation dialog will be displayed. Select OK.

     

    up3.PNG

     

  2. Uploading of the firmware starts:

    up4.PNG

     

  3. After the firmware is uploaded another screen appears. Choose HA Upgrade type Single and click 'Backup and Upgrade'.

     

    up5.PNG

     

  4. The following message indicates that the upgrade process has started.

     

    up6.PNG

    The device reboots. While the active member device is rebooting, the standby member becomes the active member.

     

     

  5. Start the firmware upgrade on the new active member (former standby device).

    To upgrade the slave HA member, connect to the device using the HA cluster member IP address as defined in the GUI menu below :

    up7secondary.png

     

     

  6. Repeat the same steps performed on the previous unit.

    up4edited.png

     

    up5.PNG

     

    up6.PNG

    The device reboots. After both devices have rebooted, the original active member becomes the active device, while the standby member returns to being the standby device based on the assigned priorities.

     

    Note: If the primary device finished rebooting before the secondary unit starts the firmware upgrade process, which can be as short as 30 seconds it can cause a so-called 'split brain' scenario due to a firmware mismatch.

     

    up12split2.PNG

     

    updeconfigha.PNG

     

    Split brain: Both devices are claiming to be active cluster members.

     

    upsplit.PNG

     

How to fix it?

  1. Reboot or Shutdown the active cluster member to which has access.
  2. Start the firmware upgrade to the required version so that both devices have the same version.
  • The device reboots.
  • After both devices reboot the primary unit will become the Active member as per the assigned priority (high).

 

up16and17.PNG

 

Note: If choosing to reboot and it happens always before the upgrade starts on the secondary device it will cause an endless looping into a split-brain scenario. 


The only option left will be to have physical access to the device in the case of hardware one or have access to the VM Machine in the case of FortiAuthenticator-VM.

 

  • Shut down the primary device and keep it down until the secondary unit starts the upgrade process.
  • When the upgrade process on the secondary device starts, turn the primary device on.
  • Wait for 3-5 minutes until the cluster is formed again.
  • Verify the HA status on the primary device GUI.

up18.PNG

 

Peer status:

 

up19.PNG

 

FortiAuthenticator HA LB individual upgrade

Tested in the lab from v6.4.6 to v6.6.0 

 

Primary node upgrade.

 

Pi1.png

 

 Secondary node upgrade.

 

Pi4.png

 

Cluster status after the upgrade is finished.

 

Pi2.png

 

Pi3.png

 

 

Related documents:

Upgrading the firmware.

High availability.