Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎04-03-2025 11:53 AM

Article Id 378884

Troubleshooting Tip: A possible root cause for instability in HA Cluster triggering repeated failovers

Description This article presents a possible root cause for instability in HA cluster configured with monitored interface(s) triggering repeated failovers.
Scope FortiGate.
Solution

Introduction:

 

When a monitored interface in HA cluster goes down it triggers a failover for the cluster members. When the monitored interface experience a flapping up/down behavior this in turn will trigger frequent failovers among the cluster members causing instability. This in turn may affects the system resources such a memory, CPU, etc., especially if session-pickup setting is enabled.

 

Scenario:

 

Here, it is assumed that the FortiGate is configured as follows. System link-monitor configured to use wan1 to ping an external server, for example 8.8.8.8.

 

config system link-monitor
    edit "wan1-ping-server"
        set srcintf "wan1"
        set server "8.8.8.8"
        set update-cascade-interface enable         
        set update-static-route enable              
    next
end

 

Upon checking the system link-monitor (diagnose system link-monitor status), it is observed that the status is flapping between alive/dead. This indicates there is a reachability problem, which may be due to an ISP issue or any intermediate router routing issues in the path to the destination.

 

The system HA cluster configured as per the following (port1 is the monitored interface):

 

config system ha

set group-name "FGT-HA"
set mode a-p
set monitor "port1" 

end

 

Need to relate the flapping behavior of the system link-monitor interface, wan1, with the repeated failovers in the system HA cluster.

 

Root Cause:

 

Need to check the configuration of the system interface settings for the source interface in system link-monitor, i.e., wan1. Need to confirm if the fail-detect setting is enabled and which system interface it's connected to using fail-alert-interfaces setting. As it's evident from the following configuration, it was noticed that the system link-monitor is the source of the problem as it triggers the flapping behavior on the monitored interface under system HA cluster configuration:

 

config system interface

    edit "wan1"

        set ip 192.168.1.254 255.255.255.0

        set fail-detect enable                          

        set fail-detect-option detectserver link-down   

        set fail-alert-method link-down                 

        set fail-alert-interfaces "port1"              

    next
end

 

Note: There may be other causes that trigger the flapping behavior for the system HA cluster units. This article shows only  one possible root cause.
501
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.