Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎01-29-2025 04:54 AM Edited on ‎05-15-2025 06:06 AM By Community Manager

Article Id 373365

Troubleshooting Tip: HA cluster does not failover when one of the monitoring interfaces goes down

Description This article explains that HA failover does not go as expected when one of the monitoring interfaces on the primary FortiGate goes down.
Scope FortiGate.
Solution

In HA cluster (A-P) scenarios when one of the monitoring interfaces present in the HA config goes down, the cluster normally fails over to the secondary member. 

 

config system ha
    set group-name <group_name
    set mode a-p
    set password <password>
    set hbdev  "ha" 0
    set override enable
    set priority <prio_value>
    set monitor <port1> <port2> . . .   <---
end

 

Check if the particular monitored ports are UP and connected on the secondary device. 
Let's take into consideration that port1 and port2 are configured as monitored ports in the HA config.

If these ports are UP and connected on primary and secondary device, when we disconnect port1 from the primary, or port1 goes down for whatever reason then the cluster should failover to the secondary device.

 

If the monitored ports are not connected on the secondary device, then the cluster will not failover because the ports were down to begin with on the secondary. Refer to the below article for more information regarding primary selection in HA clusters: FortiGate HA primary selection process: Technical Tip: FortiGate HA Primary unit selection process when override is disabled vs enabled.

Another scenario where this situation might happen is when a failover has been previously triggered by setting the failover FLAG. Refer to this article on how forced failover is executed for testing and troubleshooting. Force HA failover for testing and demonstrations 

 

Run a command to see the HA failover details or able to see in HA event logs : 

 

get sys ha status

 

Output:

 

# get system ha status
HA Health Status: OK
Model: FortiGate-20xE
Group Name: IT
Group ID: 12
Debug: 0
Cluster Uptime: 0 days 5:15:32
Cluster state change time: 2025-04-14 17:45:10
Primary selected using:
    <2025-04-14 17:45:10> FGXXXXXXXXXX is selected as the primary because EXE_FAIL_OVER flag is set on peer member FGXXXXXXXXXX.


In these cases check the status of the failover flag on the HA members with the below command:

execute ha failover status

 

After the command is run see if the flag is set or not set. Below is a similar output when the flag is set: 


failover status: set

When the status is set on the secondary, failover will not happen as the unit is in a forced failover state and has given up the primary role. This unit will not become the primary again until a reboot is performed or until the failover status is unset. 

 

If that is the case, the flag would need to be 'unset' on the secondary FortiGate with the following command: 

execute ha failover unset 1
Caution: This command may trigger an HA failover.
It is intended for testing purposes. Do you want to continue? (y/n)

After the FLAG is unset, the failover will happen provided that the monitored ports are up on the secondary device. 
1552
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.