Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
darisandy
Staff
Staff

Created on ‎10-08-2025 01:23 AM

Article Id 414175

Technical Tip : TACACS difference behavior when ha-direct enable or disabled

Description This article describes the behavior of the TACACS packet on FortiGate HA Cluster depending on the ha-direct option.
Scope FortiGate HA Cluster.
Solution

When 'ha-direct is enabled, each FortiGate unit will initiate the TACACS connection from the ha-reserved management interface.

 

Cameron-kvm31 # show system ha
    config system ha
        set ha-mgmt-status enable
            config ha-mgmt-interfaces
                edit 1
                    set interface "port10"
                    set gateway 10.47.47.254
                next
            end
                set ha-direct enable
            end

 

Cameron-kvm31 # show user tacacs+
    config user tacacs+
        edit "tacacs-lab"
            set server "10.122.2.141"
            set key ENC GR38rLKi2dudvXSL1KPD/mZR5lPggchPYnQoKJDhjPx7Kf7CwouemegQmPHLujKbVflIyVH6BcFV72/eo3DY4kfmgu+kfm8asfjJ7LvMd1JgApDqNL46UWYQg3shp9ZxdUzok3C5xyqnDrw01u76vE4edXGLLYIAsypu0hmrO2h05xhn/FMBx4sF9Ln8wWjPF5fzRllmMjY3dkVA
  set authorization enable
next
end

 

 

These are the packet capture outputs when both units are initiating TACACS communication.

 

Primary:

 

Cameron-kvm31 # diagnose sniffer packet any "port 49" 4
69.296772 port10 out 10.47.36.167.9254 -> 10.122.2.141.49: syn 1358058984

 

Secondary

 

Iriz-kvm08 # diagnose sniffer packet any "port 49" 4
54.060202 port10 out 10.47.33.99.1526 -> 10.122.2.141.49: syn 1635869956

 

 

Because in an HA Cluster, the Secondary unit will not have any routing capabilities and it will use the normal routing table for the outgoing connection.

 

Cameron-kvm31 # get router info routing-table details 10.122.2.141

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 10.47.15.254, via port1

 

Primary:

 

Cameron-kvm31 # diagnose sniffer packet any "port 49" 4

13.072466 port1 out 10.47.4.167.7026 -> 10.122.2.141.49: syn 532792360


18.137218 port1 out 10.47.4.167.7032 -> 10.122.2.141.49: syn 2323583521
19.169079 port1 out 10.47.4.167.7032 -> 10.122.2.141.49: syn 2323583521
21.249075 port1 out 10.47.4.167.7032 -> 10.122.2.141.49: syn 2323583521
25.329092 port1 out 10.47.4.167.7032 -> 10.122.2.141.49: syn 2323583521

 

  • The first packet appears when trying to access the Master unit.
  • The subsequent packet is when trying to access the Secondary unit

 

Secondary:

 

Iriz-kvm08 # diagnose sniffer packet any "port 49" 4

 

While in the Secondary unit, the packet capture is empty, as expected.

 

Related article :

Troubleshooting Tip: TACACS requests going through the HA management interface 

 

181
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.