Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
WY
New Contributor

AWS Fortigate firewall cluster (A/P in different zones) did not failover

Hi Guys,

 

I accidently discovered the failover (A/P in different zones) mechanism of AWS firewall cluster did not work during a scheduled change.

 

The fortigate firewall cluster rely on AWS API to maintain the HA status.

 

When I switch off the master firewall, the slave firewall did not take over.

 

I got below error msg when debug HA event:

"awsd failed to get instance id/awsd failed to get metadata"

 

Any ideas?

 

Many thanks.

 

Regards,
Wentao

3 REPLIES 3
vvarangoulis
Staff
Staff

Hello Wentao,


The message for "awsd failed to get instance id/awsd failed to get metadata"
is usually appearing if there is an issue with the management port and/or the elastic IP on that management port. Also, having the latest firmware, usually, helps with Fortigate cloud deployments. Please have a look at the below documentation

If everything is as per documentation, it would be better to open a ticket with the TAC.

Fortinet Documentation - Deploying FortiGate-VM active-passive HA AWS between multiple zones
https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/229470/depl...

 

Please mark the posts as solved if you have no further queries
--VV--
WY

Hi VV, 

 

Thanks for the documentation, I will have a read. 

 

Regards,

Wentao

Somerandomusername
New Contributor

Hello!

Did you manage to resolve this?

I have a similar issue going on, where just part of EIP's are being moved to other cluster member. We have fourteen secondary IP's, did two HA tests, one test moved 8of14, other 9of 14 IP's + default route change also failed in both cases. Any idea in what direction to look?

Top Kudoed Authors