Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dubos
New Contributor III

Сonverting HA cluster to standalone

We have a HA active-passive cluster of two FortiGate 600D, I turned on the standalone mode on the Master due to some problems(https://community.fortinet.com/t5/Fortinet-Forum/accidentally-rewrote-the-interface/td-p/201847), and I returned access to it, but the Slave is still unavailable to manage. How do I convert it too into standalone mode?

With respect,

Daniil Dubosarskij

cit.rkomi.ru

11 REPLIES 11
Debbie_FTNT
Staff
Staff

Hey Daniil,

 

if you have CLI access to the secondary, you can use these commands:
#config global

#config sys ha

#set mode standalone

#end

 

Please note that the secondary should have the same config as the primary, meaning the units could interfere with each other if both are connected on the same network/infrastructure.

You could look into factoryresetting the secondary instead:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-reset-a-FortiGate-with-the-default-...

 

Hope this helps!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Dubos
New Contributor III

That's the problem, I don't have access to a Slave from the beginning of turning on the cluster. They successfully started and worked, but then I lost access by overwriting the management port to one of the ports for cluster synchronization. Now I have turned on the standalone mode on it and regained access to the web interface. Can I somehow change the mode on the second device without reset? Or should I connect back to the cluster?

With respect,

Daniil Dubosarskij

cit.rkomi.ru

AlexC-FTNT

Hi Daniil,

 

If the second device was changed to "standalone" you need to access it first (connecting to one of its ports, or console). You may try to shut down the working FortiGate, and try to access this second one through your internal network if the access was allowed before.

 

If that was not changed, you can still have the main unit (you have access to) reconfigured for HA (with the same HA settings as before, to make sure it matches the other unit +higher priority and override enabled). Once the cluster is up, it will push the config to the second unit (removing the port you changed).

 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/123439/primary-unit-selection-with-overr...


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Debbie_FTNT

If you establish the cluster again, you can also access the secondary through the primary with this CLI command:

#config global

#execute ha manage <id>

#execute ha manage ? <--- will dump available IDs

 

This gives you an ssh session to the other HA through the one you're actually connected on.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Toshi_Esumi
Esteemed Contributor II

It's difficult and risky to handle HA without having console access to each device, or at least "dedicated-to" mgmt interface configured.

 

Toshi

Dubos
New Contributor III

I turned on the standalone mod on the second device, but now two fortigates have one management address and the web interface constantly switches between them, the password was also copied from Master to Slave. For some reason, when I go to the console to configure the interface, it does not allow me to put a static mod and address, "vdom root" is written there, and so it should be, but I want to change the address to get separate access

With respect,

Daniil Dubosarskij

cit.rkomi.ru

AlexC-FTNT

Without local access this will be difficult if not impossible to achieve.

You are experiencing a split-brain scenario where both units 'fight' for forwarding traffic. 

 

For a separated cluster (same wan and lan IPs), you can't have 2 different IPs for management. Your best chance is to first get the cluster back online, by setting up the HA parameters as described above. This way you will stabilize the network and can further make changes.

Once the HA cluster is stable you will be able to enable dedicated management interfaces, and then change the IPs for these management interfaces.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Dubos
New Contributor III

I have local access to both devices

With respect,

Daniil Dubosarskij

cit.rkomi.ru

AlexC-FTNT

Very good. So what is the problem or your goal now?

"standalone mode" for both devices is impossible in the same network/setup. One must be turned off, or you must change all the WAN and LAN IPs of ALL the interfaces so there is no IP conflict on the network:

 

config global

config system interface

edit ...

set ip x.x.x.x/x  (or 'unset ip' if you don't want to use that interface)

next

edit ... (repeat for all lan and wan interfaces)

end


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -