Hello everyone,
I have two Fortigate 201F firewalls in HA (active-active mode), both firewall are connected to the same Switch core (two stacked switches) which are connected by an aggregate port (two sfp for device). The problem is when I try to disconnect the two sfps from one forti to view if the traffic continues to the other firewall, this results in that traffic won't reach. It is as if the second firewall does not receive any traffic, but on the first firewall if I only disconnect a single SFP the traffic continues to arrive.
Why the traffic wont arrive from the second firewall?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Basically, the output sates that there are 43 TCP sessions established.
If you execute the same command on secondary unit, you will see some sessions established there as well. That would mean that both devices are handling traffic.
"In A-A HA environment, both devices should process traffic." With this I mean that both devices are handling traffic.
A great network diagram explaining how traffic is distributed between nodes is below:
FortiGate HA A-A cluster - 3-way TCP hand... - Fortinet Community
A 3-Way handshake is taken as an example to demonstrate how traffic flows between FortiGates and Switches.
Hope that this clarifies your questions
Can you do a packet sniffer on switch to see if you can capture GARP packets?
These are packets that will tell switch to change arp table and update them to correct ports
Sorry,.bad screenshot.
I tried without monitoring those interfaces and won't work, but when I monitoring the interfaces (x1,x2) the second firewall takes the primary rol when I disconnect any sfp from the first firewall and its work.
I'm asking because i dón't understand the HA behaivor,
I thought that when the firewalls are in active-active mode all interfaces receive and send traffic regardless of whether it is master or not, but from what I am seeing it seems that only the interfaces of the master firewall work.
Thanks for your answer @xshkurti
@APV
That is correct, monitoring interfaces serve for this purpose.
In A-A HA environment, both devices should process traffic.
If a subordinate unit fails, the primary unit re-distributes the sessions that the subordinate was processing among the remaining active cluster members. If the primary unit fails, the subordinate units negotiate to select a new primary unit. The new primary unit continues to distribute packets among the remaining active cluster units.
Failover works in a similar way if the cluster consists of only two units. If the primary unit fails the subordinate unit negotiates and becomes the new primary unit. If the subordinate unit fails, the primary unit processes all traffic. In both cases, the single remaining unit continues to function as a primary unit, maintaining the HA virtual MAC address for all of its interfaces.
Can you check how sessions are distributed and synchronized?
Execute below command on both members to see session counts:
diag sys session full-stat
Is a new environment and don't have much traffic because the devices aren't conneted to the network yet, but here is the output:
The truth is that I do not understand the information in this output.
When you say "In A-A HA environment, both devices should process traffic." I'm not sure if you mean that the second firewall also receives traffic from its interfaces (this is not currently happening if it does not go to primary it does not receive traffic), or it only processes information it receives from the first firewall.
Greatings and thanks for your help.
Basically, the output sates that there are 43 TCP sessions established.
If you execute the same command on secondary unit, you will see some sessions established there as well. That would mean that both devices are handling traffic.
"In A-A HA environment, both devices should process traffic." With this I mean that both devices are handling traffic.
A great network diagram explaining how traffic is distributed between nodes is below:
FortiGate HA A-A cluster - 3-way TCP hand... - Fortinet Community
A 3-Way handshake is taken as an example to demonstrate how traffic flows between FortiGates and Switches.
Hope that this clarifies your questions
Thanks for your answer again, I understood and I've verified the sessions in both firewalls so basically both are works great. Thx for all.
Greatings and have a good day ;)
Thanks @APV and happy that I could help you.
Have a nice time.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.