Description
This article describes the steps necessary to configure a FortiAuthenticator Layer 2 HA A-P cluster.
Solution
Before to start forming the HA cluster, take into consideration the below points and be aware of the following:
1) Properly design the subnets use for HA management interfaces and other network interfaces.
2) Important: Since the license key is bind to an IP address configured on the unit.
It is important to assign it to the HA interface IP address.
Otherwise, the slave node license will be unavailable due to IP overridden.
Simply overcome the license issue by modifying the license file of the secondary unit under the support portal by pointing it to the HA management interface of the slave unit and reupload it again to the slave.
3) Both FortiAuthenticator devices must be the same model and firmware version.
4) L2 communication is required between HA links.
5) Failover approximately happens 30 seconds after a failure.
6) All the configuration is synced except the HA settings and hostname.
Below is the Step-by-Step HA guide:
1) License Config:
After initial configuration, assign the license keys.
In this example, port4 is used to be the HA interface which the license is assigned to:
- FAC-Primary 172.16.0.1.
- FAC-Secondary 172.16.0.2.
Then select 'License File Download'.
Upload the license file by going to System -> Administration -> Licensing and select 'OK':
Upload the license file by going to System -> Administration -> Licensing and select 'OK':
After adding the license key, FortiAuthenticator will reboot automatically.
Perform the same steps on the secondary unit.
Perform the same steps on the secondary unit.
A License Warning message will be received after accessing the units since the IP address bound to the license is not configured yet on the HA management interface.
This can be temporarily ignored at this step.
2) Configure High Availability Settings on the Primary unit.
Under System -> Administration -> High Availability and enable HA.
- For the Role select Cluster member for L2 cluster
- Maintenance Mode leave it Disabled.
- Interface select Port4.
- Cluster member IP address type the IP address that was bind to the license key '172.16.0.1'.
- Priority select High for Primary and Low for Slave.
- Type any password but make sure to be the same on both units. Otherwise, the HA will not be formed.
- Select the Monitor interfaces to monitor in order to trigger failover in case one of them fails.
- For the Role select Cluster member for L2 cluster
- Maintenance Mode leave it Disabled.
- Interface select Port4.
- Cluster member IP address type the IP address that was bind to the license key '172.16.0.1'.
- Priority select High for Primary and Low for Slave.
- Type any password but make sure to be the same on both units. Otherwise, the HA will not be formed.
- Select the Monitor interfaces to monitor in order to trigger failover in case one of them fails.
After configuring all these steps select 'OK'.
3) User Inventory.
After adding the license and configure the HA management IP address, make sure that all limitations of trial license have been removed by checking User Inventory in the status dashboard.
After adding the license and configure the HA management IP address, make sure that all limitations of trial license have been removed by checking User Inventory in the status dashboard.
If license not reflected correctly, just reload the unit.
4) Configure High Availability Settings on the Secondary unit:
5) HA Status.
Wait few minutes to makes sure that all the configuration has been synced then check HA Status.
Wait few minutes to makes sure that all the configuration has been synced then check HA Status.
See the below result with a green check mark under Health status:
6) - To access the HA management GUI IP of HA interface of both units, you need to have Workstation in the same subnet as the HA interface configured on the FACs.
Node-Specific Default Gateway is option if you have clusters in two different Datacenters and the default gateway for those datacenters is different. Then you need to configure that option to be correct gateway if failover occurs so that node has access to network.
If Node-Specific Default Gateway is set, that option will overwrite default gateway in the static routing of the Node and that will become new default gateway for whole Node.
Related Article:
