Technical Tip: HA age time difference (HA cluster uptime)

enguyen3467 · ‎11-24-2022

Description

This article describes that during an uninterruptable upgrade or when a link failure of the monitored interface(s) occurs briefly on the primary unit 'FGT 01', once booting up successfully or the monitored interface(s) is up, 'FGT 01' quickly assumes the primary role instead of letting 'FGT 02' remains the new primary in the HA cluster even though the HA cluster uptime value on 'FGT' 01 is smaller than on 'FGT 02'.

This scenario only happens with override setting is disabled (by default).

Scope

FortiGate.

Solution

This is due to the HA age difference, which is completely a normal behavior during the primary unit selection process.

Check the documentation for the primary unit selection when the override is disabled:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653

This explains why during the initial HA setup, it is necessary to set the priority value on the unit where the primary (i.e. FGT01) is wanted to be higher than the other member (FGT02).

The HA age time is different from the system uptime of each unit, it will be reset after reboot or in the event of a link failure in the configured monitored interface(s).

It is possible to change the HA age difference value by executing the following commands in the CLI:

# config system ha

set ha-uptime-diff-margin <1-65535> <----- Default is 300.

end

To not wait for the age difference margin, especially in the scenario where the uninterruptable upgrades to work are wanted, it is possible to decrease the value, which then makes 'FGT02' to be more likely to remain the primary unit after a firmware upgrade or after a link failure on 'FGT01'.

To guarantee 'FGT01' assumes the primary role after a reboot or after a link failure, it is possible to set the ha-uptime-diff-margin to be larger than 300 or enable the override setting on both units and set the priority on 'FGT01' to be higher than 'FGT02.'