Description
This article describes share common possibilities that trigger High Availability intermittence issues.
Scope
FortiGate.
Solution
The HA design works as expected during the implementation based on existing units, VLAN, cabling, and other similar factors.
However, after some time has passed, the HA ceases to work as expected. This is a normal behavior claimed by the network administrator.
The normal changes that happened on the network:
- A new unit or server is introduced to the network:
- Previously, the FortiGate was standalone, but is currently High-Availability.
- There is a switch from core 1 to core 2.
- An intermediate unit is introduced (such as a load balancer, proxy, or traffic management unit).
- Changes are made to network design/topology:
- An increase to VLANs:
- Changes of routing.
- LACP configuration.
- Changes of cabling or ports on the FortiGate or switch.
- STP re-calculation.
When changes to the design occur, the traffic may not work as it did in the first implementation.
This is expected behavior.
In certain cases, there are no changes on the network.
However, failover does not work as expected.
The expected behavior is as follows:
- Traffic on the primary unit is working as expected.
- During failover to the secondary unit:
- Many services are down.
- A certain segment/interface is not working.
- Network intermittence / flapping occurs (for example: the connection works for 10 minutes, then goes down for 10 minutes).
From the FortiGate perspective, FortiGate only processes the traffic as it is received.
A common issue occurs due to STP (Spanning Tree Protocol) on the network level.
This frequently happens if aggregation or LACP is configured.
Basically, this issue is due to the network design itself.
Troubleshooting:
If intermittence occurs, this can be checked on the FortiGate as follows:
Version 6.0.
Go to Log & Report -> System Events.
Version 6.2 and above.
Navigate to Log & Reports -> Events -> System Events (on top right corner).
Filter for Log Description: Interface status changed.
Look for the interface that is encountering the problem. The interface status should appear as follows:
- A cable is disconnected/unplugged on a port.
- The port is shut down/disabled on the peer devices.
The most common scenario for HA issue is number 2: the port is shut down/disabled on the peer unit.
Verify the changes on the switch too.
Example scenario:
- A first FortiGate unit acting as the primary unit.
- A second FortiGate unit acting as the secondary unit.
The network switch should pass all of the traffic to the first FortiGate unit's side. When intermittence occurs, the network is most likely sending the traffic to the secondary FortiGate, which is not correct.
For this kind of scenario, the issue is not on the FortiGate configuration itself.
Conclusion:
HA deployment requires proper physical and logical design on the network level.
Related article:
