Technical Tip: Cannot connect to Secondary Server Configuration Wizard when shared IP is used

cmaheu · ‎10-26-2020

Description

This article describes that it is possible that 'Configuration Wizard' may not be accessible on a secondary server in a High Availability pair with a shared IP address.

This is due to how the /etc/hosts file is configured depending upon the appliance configuration.

/etc/hosts file shared IP entry when managed by a Control Manager:

<shared IP> <shared FQDN> <shared short name> cm

/etc/hosts file shared IP entry when not managed by a Control Manager:

<shared IP> <shared FQDN> <shared short name> nac

Secondary Server appliances where 'NAC' appears on the shared IP entry will not be accessible by default.

Scope

Version: 8.x - 9.2

Solution

Information is also available in the High Availability Reference manual in the Fortinet Document Library.

Temporarily modify the /etc/hosts file to access the appliance.

Login to the Secondary Server CLI as root and modify /etc/hosts.
Remove the 'NAC' entry from the shared IP entry. This will enable the secondary server IP address to be accessible.

Example:

cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<...>
<shared IP> <shared FQDN> <shared short name>

Restart the web service. Type

service tomcat-admin restart

Access the Secondary Server Configuration Wizard using the following URL

https://<Secondary Server name or IP>:8443/configWizard

Once Configuration Wizard is run, the /etc/hosts file will be auto-corrected.

Related Articles

Technical Tip: Administration UI unable to load due to name resolution

Technical Tip: Cannot access Secondary Server Configuration Wizard in 9.2

Technical Tip: Cannot connect to Secondary Server Configuration Wizard when shared IP is used

You are leaving our website