FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmarin
Staff
Staff
Article Id 193610

Description
This article describes a common issue seen in the field for SLBC deployments, in which remote logging traffic is routed over base channel, which may in turn cause loss of worker blades.
Solution
When it comes to SLBC deployments, "elbc-mgmt" will be automatically set as the management vdom. This means that elbc-mgmt vdom will be used for remote logging configuration (FortiAnalyzer and syslog) as well for any other management-specific communication required by the cluster (for instance DNS resolution, FortiGuard services or NTP communication)

 
When setting up routing in the elbc-mgmt vdom, a common step is to add a static default route pointing to FortiController's base-mgmt address as gateway. For instance: 
 
FGT-C1-S6 (elbc-mgmt) # show router static
config router static
    edit 1
        set gateway 169.254.7.1
        set device "base-mgmt"
    next
end
 
 
FGT-C1-S6 (elbc-mgmt) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
S*      0.0.0.0/0 [10/0] via 169.254.7.1, base-mgmt
C       10.101.11.0/24 is directly connected, elbc-base-ctrl
C       10.147.187.0/24 is directly connected, elbc-base-ctrl
C       169.254.1.0/24 is directly connected, elbc-base-ctrl
C       169.254.7.0/24 is directly connected, base-mgmt
C       192.168.1.0/24 is directly connected, mgmt1
 
 
Where 169.254.7.1 is the first IP address in the subnet defined as "base-mgmt-internal-network" under "config load-balance setting" in FortiController side. This address acts as a floating IP that is used by the master FortiController only. In addition, base-mgmt interface is used for management communication via backplane between FortiController and FortiGate worker blades, including heartbeat communication.

On the other hand, when configuring remote logging, the target devices may be located on a different subnet. This means that if no other matching routes are configured in elbc-mgmt vdom, then remote logging traffic will be routed over base-mgmt interface. The presence of this additional traffic in base channel may in turn affect the processing of heartbeats by FortiController, thus resulting in the loss of a worker blade in the cluster. Moreover, when looking at the event logs of the affected worker blade, messages containing "ELBC channel inactive" and "ELBC channel active" may be seen.
 
In addition, if the affected worker blade happens to be the ELBC master, then some specific ELBC master tasks like BGP, IPsec VPN or OSPF communication will flap.
 
That being said, it is recommended to avoid using the base-mgmt interface for remote logging traffic. The worker blade's physical mgmt interface should be used for this purpose instead. For this, just connect the interface to the network, assign an address to it and then set up static routes if needed. Setting up the physical mgmt interface in worker blades is also good for out-of-band management purposes.
 
Finally, remember that mgmt interface configuration is not synced among worker blades and thus each interface needs to be configured and assigned with a unique address.

 

Contributors