Description

This article explains the exact behavior during the HA upgrade in a Virtual Cluster environment with the HA override wait timer configured.

The following configuration example will be used for explanation:

FortiGate A:

config system ha
    set group-id 10
    set group-name "HA-Group"
    set mode a-p
    set password Password
    set hbdev "ha" 100 "port9" 150
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt"
                set gateway 192.168.1.1
            next
        end
            set vcluster-status enable
                config vcluster
                    edit 1
                        set override enable
                        set priority 130
                        set override-wait-time 900
                        set monitor "port5"
                        set vdom "VDOM1"
                    next
                        edit 2
                            set override enable
                            set priority 250
                            set override-wait-time 900
                            set monitor "port5"
                            set vdom "VDOM2"
                        next
                    end
                end

FortiGate B:

config system ha
    set group-id 10
    set group-name "HA-Group"
    set mode a-p
    set password Password
    set hbdev "ha" 100 "port9" 150
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "mgmt"
                set gateway 192.168.1.2
            next
        end
            set vcluster-status enable
                config vcluster
                    edit 1
                    set override enable
                    set priority 250
                    set override-wait-time 900
                    set monitor "port5"
                    set vdom "VDOM1"
                next
                    edit 2
                        set override enable
                        set priority 130
                        set override-wait-time 900
                        set monitor "port5"
                        set vdom "VDOM2"
                    next
                end
            end

Scope

FortiGate Virtual Cluster behavior during the upgrade, depending on the HA override wait timer setup.

Solution

1. After the upgrade, FortiGates 'exchange' primary roles for clusters (reverse priority logic) and stays that way until the override-wait-time period expires. Then they'll failover again according to the priority setup (the higher the better).
2. To be 'considered equal' in the election process, both FortiGate uptime has to be longer than the override-wait-time period. If that is not the case, the one whose uptime is longer will be primary until the other FortiGate's uptime passes the override-wait-time period, at which point the primary election will be done according to the priority settings.

Based on the configuration shown above, here is what happens exactly:

1. FortiGate A and B in normal case:

• vcluster1: A is primary (high priority).
• vcluster2: B is primary (high priority).

2. Upgrade: B upgrades first, then A.
3. After upgrade:

• vcluster1: B is primary (low priority in override-wait-time period).
• vcluster2: A is primary (low priority in override-wait-time period).

In addition, to let FortiGate A wait after the upgrade, set override-wait-time on one cluster.

For example:

1. If having FortiGate A and B, in normal case:

• vcluster1: A is primary (high priority).
• vcluster2: B is primary (high priority).

2. Suppose A is primary for management vdom, which will be upgraded later. Set override-wait-time only on vcluster1.
3. Then after both FortiGate upgrades:

• vcluster1: B is primary (low priority in override-wait-time period).
• vcluster2: B is primary (high priority, no override-wait-time).