HA-Direct is an optional feature for HA clusters, allowing local management traffic to be restricted to the reserved HA management interface. See Out-of-band management with reserved management interfaces.

Sample ha-direct configuration:

config system ha
    #some HA configuration not shown

    set mode a-p

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "wan2"

                set gateway 10.255.99.1

            next

        end

        set ha-direct enable

    end

When ha-direct is enabled, authentication attempts will use the configured reserved management interface(s) by default.

This is by design, as queries to remote authentication servers are considered management traffic.

diagnose sniffer packet any 'port 1812' 4 1000

interfaces=[any]

filters=[port 1812]

3.685623 wan2 out 10.128.202.16.10123 -> 10.250.0.21.1812: udp 129

13.270422 wan2 out 10.128.202.16.14297 -> 10.250.0.21.1812: udp 129

This can cause authentication attempts to fail if the remote authentication server is only reachable over another interface, such as an IPsec tunnel. Debug output for the fnbamd process will show errors such as 'Network is unreachable'.

diagnose debug application fnbamd -1

diagnose debug enable
{additional output omitted}
[1484] __ldap_tcps_open-tcps_connect(10.250.0.21) failed: Failed to connect 10.250.0.21:636: Network is unreachable.

Note: To disable the debugging, use 'diagnose debug disable'.

For RADIUS and TACACS+ servers, the ha-direct interface can be overridden by configuring source-ip in the server configuration:

config user radius

    edit "RADIUS"

        set server "10.250.0.21"

        set secret ENC <encrypted psk>

        set source-ip "10.253.200.1"

    next

end

config user tacacs+

    edit "TACACS"

        set server "10.250.0.21"

        set source-ip "10.253.200.1"

    next

end

In FortiOS v7.4.9, v7.6.4, and later, the same method can be used for LDAP servers to override the ha-direct setting.

config user ldap

edit "LDAP"

set server "10.250.0.21"

set source-ip "10.253.200.1"

set dn "dc=example,dc=com"

set cnid "cn"

set username "cn=fortigateserviceaccount,ou=it,dc=example,dc=com"

set password <password>

next

end

After applying the source IP address, remote authentication traffic to the remote server is sent using an exit interface in the same VDOM as the configured server, similar to if ha-direct is disabled.

diagnose sniffer packet any 'port 1812' 4 1000

interfaces=[any]

filters=[port 1812]

5.415861 PRIVATE_CLOUD out 10.253.200.1.3890 -> 10.250.0.21.1812: udp 129

In firmware versions before v7.4.9, source-ip can be set for the LDAP server but in FortiOS v7.4.4-v7.4.8 this does not override the ha-direct setting. This is a known issue, tracked by issue ID 1134368.

In FortiOS v7.6.4 and later, 'set interface-select-method specify' or 'set interface-select-method sdwan' can be used to override ha-direct interface for RADIUS, TACACS+, and LDAP servers, without the need to specify a source IP.  For more on configuring interface-select-method, see FortiOS v7.6.4 Administration Guide | Local Out Traffic.

config user radius

edit "RADIUS"

set interface-select-method specify

set interface "SERVER_VLAN"

next

end