HA-Direct is an optional feature for HA clusters, allowing local management traffic to be restricted to the reserved HA management interface. See Out-of-band management with reserved management interfaces.

Sample ha-direct configuration:

config system ha
    #some HA configuration not shown

    set mode a-p

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "wan2"

                set gateway 10.255.99.1

            next

        end

        set ha-direct enable

    end

When ha-direct is enabled, authentication attempts will use the configured reserved management interface(s) by default.

This is by design, as queries to remote authentication servers are considered management traffic.

diagnose sniffer packet any 'port 1812' 4 1000

interfaces=[any]

filters=[port 1812]

3.685623 wan2 out 10.128.202.16.10123 -> 10.250.0.21.1812: udp 129

13.270422 wan2 out 10.128.202.16.14297 -> 10.250.0.21.1812: udp 129

Command: 

diag debug application fnbamd -1

diag debug enable  

Note: to disable the debug use 'diag debug disable'.

2025-07-18 09:42:16 [247] fnbamd_dns_parse_resp-got IPv4 DNS reply, req-id=0x121c
2025-07-18 09:42:16 [309] fnbamd_dns_parse_resp-req 0x121c: 10.250.0.21
2025-07-18 09:42:16 [1551] __fnbamd_ldap_dns_cb-Resolved FMI AD:ftntdc01.ftnt.local to 10.250.0.21, cur stack size:-1
2025-07-18 09:42:16 [1742] __auth_ctx_svr_push-Added addr 10.250.0.21:636 from LDAP 'FTNT AD'
2025-07-18 09:42:16 [645] __ldap_add_conn_start_timer-
2025-07-18 09:42:16 [636] __ldap_conn_start_cb-
2025-07-18 09:42:16 [1572] __fnbamd_ldap_get_next_addr-Next available address of LDAP 'FMI AD': 10.250.0.21:636.
2025-07-18 09:42:16 [1760] __auth_ctx_start-Connection starts FMI AD:ftntdc01.ftnt.local, addr 10.250.0.21:636
2025-07-18 09:42:16 [1451] __ldap_tcps_open-vfid 1, addr 192.168.0.6, src_ip 10.253.200.1, ssl_opt 1284, use_ha_relay 0
2025-07-18 09:42:16 [1175] fnbamd_socket_update_interface-vfid is 1, intf mode is 2, intf name is RTX-FMI, server address is 10.250.0.21:636, source address is 10.253.200.1:0, protocol number is 6, oif id is 64
2025-07-18 09:42:16 [1475] __ldap_tcps_open-oif=64, intf_sel.mode=2, intf_sel.name=RTX-FTNT
2025-07-18 09:42:16 [1434] __ldap_ssl_extra_checking-Server identity check is enabled.
2025-07-18 09:42:16 [1484] __ldap_tcps_open-tcps_connect(10.250.0.21) failed: Failed to connect 10.250.0.21:636: Network is unreachable.

This can cause authentication attempts to fail if the remote authentication server is only reachable over another interface, such as an IPsec tunnel. For RADIUS and TACACS+ servers, this can be overridden by configuring source-ip in the server configuration:

config user radius

    edit "RADIUS"

        set server "10.250.0.21"

        set secret ENC <encrypted psk>

        set source-ip "10.253.200.1"

    next

end

config user tacacs+

    edit "TACACS"

        set server "10.250.0.21"

        set source-ip "10.253.200.1"

    next

end

After applying the source IP address, remote authentication traffic to the remote server is sent using an exit interface in the same VDOM as the configured server, similar to if ha-direct is disabled.

diagnose sniffer packet any 'port 1812' 4 1000

interfaces=[any]

filters=[port 1812]

5.415861 PRIVATE_CLOUD out 10.253.200.1.3890 -> 10.250.0.21.1812: udp 129

In v7.4.4 and later, this is not true for LDAP servers. In affected firmware versions, queries to LDAP servers always use the reserved management interface if ha-direct is enabled. This matches known internal issue 1134368 and is scheduled for fix in v7.4.9 and v7.6.4.

The interface selection logic is scheduled for enhancement in v7.6.4 and later. After the change, if source-ip or a customer interface-select-method are configured for a RADIUS, LDAP, or TACACS server, interface selection will ignore the ha-direct setting.