Technical Tip: HA fails after SNMP configuration o...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 413107

Description

This article describes an HA failure observed on FortiGate 120G/121G devices after enabling SNMP queries.

Scope

FortiGate 120G/121G, SNMP, EMAC-VLAN, HA.

Solution

When SNMP queries are enabled on FortiGate 120G/121G devices, the HA cluster may become unsynchronized if SNMP queries target EMAC-VLAN interfaces on npu-vlink (for example, npu-0-1-222, npu-0-1-224, etc.).

The problem is triggered when querying the ifSpeed OID for EMAC-VLAN interfaces, such as:

snmpget -v2c -c <user> <host> ifSpeed.32

snmpget -v2c -c <user> <host> ifSpeed.45

snmpget -v2c -c <user> <host> ifSpeed.46

snmpget -v2c -c <user> <host> ifSpeed.47

After such queries, the FortiGate stops responding to SNMP, and the HA cluster fails. In this condition, both units can assume the master role simultaneously. Recovery requires a power reboot of both devices.

Affected versions: FortiOS v7.2 and v7.4.
Resolved version: FortiOS v7.6.4.

Note: Physical interfaces or VLAN interfaces do not exhibit this behavior.

115

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: HA fails after SNMP configuration on FortiGate 120G/121G

You are leaving our website