Troubleshooting Tip: FortiAuthenticator HA cluster via VXLAN over IPsec is formed but not stable

pginete · ‎07-15-2024

Description

This article describes how to fix FortiAuthenticator HA cluster via VXLAN over IPsec is formed but not stable.

Scope

FortiAuthenticator.

Solution

FAC VXLAN HA cluster network diagram.png

The setup is FortiAuthenticator HA cluster via VXLAN over IPsec VPN tunnel. Both FortiAuthenticators are located from different sites.

Configured VXLAN: Technical Tip: VXLAN over IPsec for multiple VLANs using software switch over IPsec on both FortiGates to establish layer 2 connectivity between both sites and build FortiAuthenticator HA cluster.

The FortiAuthenticator HA cluster formed but was not stable when using the default Heartbeat interval (10) and Heartbeat lost threshold (6) values.

FAC cluster formed but not stable.JPG

The issue was resolved by increasing the Heartbeat interval (20) and Heartbeat loss threshold (60).

FAC HA settings2.JPG

FortiAuthenticator HA cluster is now stable:

FAC cluster stable.JPG

If the latency of VXLAN over IPsec is high, consider adjusting the Heartbeat interval and Heartbeat lost threshold values to fix it, as well as the MTU to counter packet loss

Change the MTU value to, for example, 1340 on the VLAN interface, following the configurations below:

config system interface

edit [vlan_interface]

set mtu-override enable

set mtu 1340

From the FortiAuthenticator side, change both 'mgmt-mtu' and 'lb-tunnel-mtu' values to 1340 via CLI as outlined below:

config system ha
set mgmt-mtu 1340
set lb-tun-mtu 1340

The FortiAuthenticator firmware version should be v6.1.1 and above or v6.2.0 and above to have the Heartbeat interval and Heartbeat lost threshold adjustment feature available.

Troubleshooting Tip: FortiAuthenticator HA cluster via VXLAN over IPsec is formed but not stable

You are leaving our website