Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aesvntn
New Contributor

HA Active-Active Setup with redundant ISP, Switch, FSSO agent

Hi there!

Need some advice for our new upcoming setup & configuration.

I'd like to know if this setup is OK and would not cause any problems, especially things like lost internet connection, sessions issues, loops, spanning tree issues, failover issues, etc etc. Appreciate for any comments/remarks on the configuration that potentially causes such issues.

 

FG200E_HA.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Basic configuration details, 

Fortigate Configuration
Mode: Active-Active
Priority: 100/50
Session pickup: enabled
Monitor: port1, port2, HA
Hearbeat: HA

SDWAN: WAN1, WAN2, Load Balance
FSSO Agent: AD1, AD2 with LDAP

 

Switch Configuration
interface Port-channel1
desc Fortigate1
switchport mode trunk

 

interface Port-channel2
desc Fortigate2
switchport mode trunk

 

interface range Gi1/0/1-2
desc Fortigate-Pair1
switchport mode trunk

channel-group 1 mode active

 

interface range Gi2/0/1-2
desc Fortigate-Pair2
switchport mode trunk
channel-group 2 mode active

 

 

ae
3 REPLIES 3
AEK
Contributor II

Hello

My advice:

- Add secondary HA

- Add link monitor for port-1-2

- There is no possible loop here

- Plus a personal advice: Prefer active-passive, unless active-active is really required

vponmuniraj
Staff
Staff

Hi,

 

If active active configuration is needed, you must look into connecting a switch between the FGT & ISP devices. 

 

Have a look at the traffic flow to help decide: 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/678636/nat-mode-a-a-packet-flow

 

 

 

Regards,

Vignesh
Debbie_FTNT
Staff
Staff

In addition to the excellent advice by AEK and vponmuraj:

-> Redundant FSSO Collector Agents don't quite act the same as for example a FortiGate cluster

-> They do NOT sync large parts of their config, so you should always verify on each Collector Agent that they have the same config (polling/DC Agent mode; advanced/standard AD mode, same domains, monitoring same domain controllers, etc)

-> The Collector Agents should show the same user logins (the logins do not get synced; both Collector Agents should get the same information and process it the same however)

-> The primary FortiGate will communicate with one Collector Agent; when that one becomes unavailable, it will switch to the second

-> It will stick with the second Collector Agent even if the first becomes available again; FortiGate will remain with the second Collector Agent until that one becomes unavailable, and then the firewall will switch to the next available Collector Agent, and stick with that again, etc

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++