Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jad
New Contributor

HA reserved management interfaces in a different VRF

Hi Guys,

 

I am working on a cluster in A/P and want to separate the management by using OOB HA reserved management interfaces.

 

This is done perfectly and working, but when reading fortinet's documentation, it's mentioned that this dedicated interface uses a separated routing table and it's not synchronized whithin the cluster, which is great for my usecase, but here is the question :

 

Why it works only when I put these interfaces in the VRF=0 (global VRF) and not working when I put them in another VRF ?

 

It doesn't work neither I set the same VRF ID nor a different one for each interface of each ha unit.

The goal is to have two (one by ha unit) "ha reserved management interface" with two different IPs (one for each unit) while using these interfaces in a different VRF from the global one.

 

For example: 

VRF 0 = All Production interfaces

VRF 1 = "HA Reserved management" interfaces.

 

I think it's very interesting to understand how it works, because it's not well documented.

 

Thanks for your help.

 

Regards

 
1 REPLY 1
athirat
Staff
Staff

Hello, 

Once HA reserved management interfaces are added on FGT , they are automatically mapped to a hidden vdom called vsys_hamgmt. The routing and ARP details on HA dedicated management interface are solely available in this vdom.

You can check the routing table and ARP details of this vdom by following below :

 

config global 

exe enter vsys_hamgmt  --> to enter the vdom

get router info routing-table all  ---> will show the routing table of this vdom alone 

get sys arp  --> arp entries on dedicated management interface

 

 

To go back to normal vdom, use the below command :
exe enter root

 

Hope this helps.