Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎11-17-2024 09:36 AM

Article Id 357950

Troubleshooting Tip: Fixing ping failures between FortiGate HA management ports

Description

 

This article describes how to troubleshoot and resolve ping failures between FortiGate HA management ports, ensuring proper communication and connectivity in a High Availability setup.

 

Scope

 

FortiOS.

 

Solution

 

FortiGate is set up as Active-Passive where a dedicated OOB mgmt interface is configured.

In this example, one FortiGate's (FGT1) mgmt interface IP is 10.110.100.1, whereas FGT2's mgmt interface IP is 10.110.100.2.

 

Here, VLAN 1000 is the dedicated mgmt interface.

 

On the Primary FortiGate1:

 

config system interface
    edit "vlan_1000"
        set ip 10.110.100.1 255.255.255.0
        set allowaccess ping https ssh
        set alias "mgmt"
        set role lan
        set snmp-index 46
        set interface "CORE-SW-LINK"
        set vlanid 1000
        next
    end

 

On Secondary FortiGate2:

 

config system interface

    edit "vlan_1000"
        set ip 10.110.100.2 255.255.255.0
        set allowaccess ping https ssh
        set alias "mgmt"
        set role lan
        set snmp-index 46
        set interface "CORE-SW-LINK"
        set vlanid 1000
    next
end

 

The ping from the Primary FortiGate (10.110.100.1) to 10.110.100.2 does not work.

 

FORTIGATE-MASTER # execute ping 10.110.100.2
PING 10.110.100.2 (10.110.100.2): 56 data bytes

--- 10.110.100.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

 

To enable ping functionality using the dedicated management interface IP, access the hidden management VDOM.

 

FORTIGATE-MASTER # execute enter
<name> vdom name
root
vsys_hamgmt

FORTIGATE-MASTER # execute enter vsys_hamgmt
current vdom=vsys_hamgmt:3

Now try to ping again and it works fine

FORTIGATE-MASTER # execute ping 10.110.100.2
PING 10.110.100.2 (10.110.100.2): 56 data bytes
64 bytes from 10.110.100.2: icmp_seq=0 ttl=255 time=0.1 ms
64 bytes from 10.110.100.2: icmp_seq=1 ttl=255 time=0.0 ms
64 bytes from 10.110.100.2: icmp_seq=2 ttl=255 time=0.0 ms
64 bytes from 10.110.100.2: icmp_seq=3 ttl=255 time=0.0 ms
64 bytes from 10.110.100.2: icmp_seq=4 ttl=255 time=0.0 ms

--- 10.110.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.1 ms

 

The secondary FortiGate management IP is now reachable via ping.

For testing communication through the dedicated HA management IP, the hidden management VDOM must be accessed to initiate traffic from the FortiGate.

165
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.