Hi Guys,
I accidently discovered the failover (A/P in different zones) mechanism of AWS firewall cluster did not work during a scheduled change.
The fortigate firewall cluster rely on AWS API to maintain the HA status.
When I switch off the master firewall, the slave firewall did not take over.
I got below error msg when debug HA event:
"awsd failed to get instance id/awsd failed to get metadata"
Any ideas?
Many thanks.
Regards,
Wentao
Hello Wentao,
The message for "awsd failed to get instance id/awsd failed to get metadata"
is usually appearing if there is an issue with the management port and/or the elastic IP on that management port. Also, having the latest firmware, usually, helps with Fortigate cloud deployments. Please have a look at the below documentation
If everything is as per documentation, it would be better to open a ticket with the TAC.
Fortinet Documentation - Deploying FortiGate-VM active-passive HA AWS between multiple zones
https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/depl...
Hi VV,
Thanks for the documentation, I will have a read.
Regards,
Wentao
Hello!
Did you manage to resolve this?
I have a similar issue going on, where just part of EIP's are being moved to other cluster member. We have fourteen secondary IP's, did two HA tests, one test moved 8of14, other 9of 14 IP's + default route change also failed in both cases. Any idea in what direction to look?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.