Technical Tip: Troubleshooting HA failover FortiGate-VM for Azure

ssriswadpong · ‎12-21-2020

Description

This article describes how to troubleshoot high availability FortiGate-VM for Azure and how to see when public IP address is moved from master to slave.

Scope

High availability for FortiGate on Azure.

Solution

Before starting HA failover, it would be good to verify HA status is in-sync by

get system ha status

If HA status is not in-sync, check how to troubleshoot HA synchronization issue https://kb.fortinet.com/kb/documentLink.do?externalID=FD45183

Run below debug commands before proceed HA failover.

diagnose debug disable

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug application sdncd -1

diagnose debug application azd -1

diagnose debug application azd-ha -1 <----- From v7.2.8, v7.4.2 for Azure HA actions to avoid mixing debug messages from Azure SDN connector.

diagnose debug enable

This is a sample of output if HA failover is completed.

2020-12-12 13:00:49 removing pubip <----- Removing public IP address from master unit.

2020-12-12 13:00:50 query nic FortiGate-A-nic1

2020-12-12 13:00:51 query nic FortiGate-A-nic1, rc: 0

2020-12-12 13:00:51 remove public ip FGTAPClusterPublicIP in ipconfig ipconfig1 of nic FortiGate-A-nic1

2020-12-12 13:00:51 updating nic: FortiGate-A-nic1

2020-12-12 13:00:53 updating nic: FortiGate-A-nic1, rc: 0

2020-12-12 13:00:54 operation: "updating nic: FortiGate-A-nic1", status: InProgress

2020-12-12 13:01:04 operation: "updating nic: FortiGate-A-nic1", status: InProgress

2020-12-12 13:01:14 operation: "updating nic: FortiGate-A-nic1", status: InProgress

2020-12-12 13:01:24 operation: "updating nic: FortiGate-A-nic1", status: InProgress

2020-12-12 13:01:34 operation: "updating nic: FortiGate-A-nic1", status: Succeeded <----- Updating IP address on master unit is done.

2020-12-12 13:01:36 adding pubip <----- Moving public IP address to the new master unit.

2020-12-12 13:01:36 query nic FortiGate-B-nic1

2020-12-12 13:01:36 query nic FortiGate-B-nic1, rc: 0

2020-12-12 13:01:36 add public ip FGTAPClusterPublicIP in ipconfig ipconfig1 of nic FortiGate-B-nic1

2020-12-12 13:01:37 updating nic: FortiGate-B-nic1

2020-12-12 13:01:37 updating nic: FortiGate-B-nic1, rc: 0

2020-12-12 13:01:39 operation: "updating nic: FortiGate-B-nic1", status: InProgress

2020-12-12 13:01:49 operation: "updating nic: FortiGate-B-nic1", status: InProgress

2020-12-12 13:02:00 operation: "updating nic: FortiGate-B-nic1", status: InProgress

2020-12-12 13:02:10 operation: "updating nic: FortiGate-B-nic1", status: InProgress

2020-12-12 13:02:19 operation: "updating nic: FortiGate-B-nic1", status: Succeeded <----- Updating IP address on the new master unit is done.

2020-12-12 13:02:20 query route table DefaultRouteTable in resource group ResourceGroupName of subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

2020-12-12 13:02:20 route table query, rc: 0

2020-12-12 13:02:20 matching route:toDefault:toDefault

2020-12-12 13:02:20 set route toDefault nexthop 10.44.99.254

2020-12-12 13:02:21 updating route table DefaultRouteTable in resource group ResourceGroupName of subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

2020-12-12 13:02:21 updating route table DefaultRouteTable in resource group ResourceGroupName of subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, rc: 0

2020-12-12 13:02:21 operation: "updating route table DefaultRouteTable in resource group ResourceGroupName of subscription xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", status: Succeeded <----- Updating route table in the Azure resource group is done.

To stop the debug:

diagnose debug disable

diagnose debug reset

Technical Tip: Troubleshooting HA failover FortiGate-VM for Azure

You are leaving our website