Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
APV
New Contributor II

Created on ‎08-21-2024 01:37 AM

About fortigate HA behaivor

Hello everyone,

 

I have two Fortigate 201F firewalls in HA (active-active mode), both firewall are connected to the same Switch core (two stacked switches) which are connected by an aggregate port (two sfp for device). The problem is when I try to disconnect the two sfps from one forti to view if the traffic continues to the other firewall, this results in that traffic won't reach. It is as if the second firewall does not receive any traffic, but on the first firewall if I only disconnect a single SFP the traffic continues to arrive.forti.jpg

HA-1.jpgHA-2.jpginterface-config.jpginterfaces.jpg

Why the traffic wont arrive from the second firewall?

Labels:
529
0 Kudos
1 Solution
xshkurti
Staff
Staff
In response to APV

Created on ‎08-21-2024 03:31 AM

@APV 

Basically, the output sates that there are 43 TCP sessions established.
If you execute the same command on secondary unit, you will see some sessions established there as well. That would mean that both devices are handling traffic.
"In A-A HA environment, both devices should process traffic."  With this I mean that both devices are handling traffic.
A great network diagram explaining how traffic is distributed between nodes is below:

FortiGate HA A-A cluster - 3-way TCP hand... - Fortinet Community

A 3-Way handshake is taken as an example to demonstrate how traffic flows between FortiGates and Switches.

Hope that this clarifies your questions

View solution in original post

469
7 REPLIES 7
xshkurti
Staff
Staff

Created on ‎08-21-2024 01:41 AM Edited on ‎08-21-2024 01:45 AM

@APV 

Can you do a packet sniffer on switch to see if you can capture GARP packets?
These are packets that will tell switch to change arp table and update them to correct ports

522
APV
New Contributor II
In response to xshkurti

Created on ‎08-21-2024 02:01 AM

Sorry,.bad screenshot.

 

I tried without monitoring those interfaces and won't work, but when I monitoring the interfaces (x1,x2) the second firewall takes the primary rol when I disconnect any sfp from the first firewall and its work.

 

I'm asking because i dón't understand the HA behaivor, 
I thought that when the firewalls are in active-active mode all interfaces receive and send traffic regardless of whether it is master or not, but from what I am seeing it seems that only the interfaces of the master firewall work.
haconfig.jpg

 

Thanks for your answer @xshkurti 

516
0 Kudos
xshkurti
Staff
Staff

Created on ‎08-21-2024 02:14 AM

@APV 
That is correct, monitoring interfaces serve for this purpose.

In A-A HA environment, both devices should process traffic.

More about active-active failover

If a subordinate unit fails, the primary unit re-distributes the sessions that the subordinate was processing among the remaining active cluster members. If the primary unit fails, the subordinate units negotiate to select a new primary unit. The new primary unit continues to distribute packets among the remaining active cluster units.

Failover works in a similar way if the cluster consists of only two units. If the primary unit fails the subordinate unit negotiates and becomes the new primary unit. If the subordinate unit fails, the primary unit processes all traffic. In both cases, the single remaining unit continues to function as a primary unit, maintaining the HA virtual MAC address for all of its interfaces.

 

Can you check how sessions are distributed and synchronized?

Execute below command on both members to see session counts:
diag sys session full-stat

 

508
APV
New Contributor II
In response to xshkurti

Created on ‎08-21-2024 03:25 AM

Is a new environment and don't have much traffic because the devices aren't conneted to the network yet, but here is the output:
sesiones.jpg

The truth is that I do not understand the information in this output.

 

When you say "In A-A HA environment, both devices should process traffic." I'm not sure if you mean that the second firewall also receives traffic from its interfaces (this is not currently happening if it does not go to primary it does not receive traffic), or it only processes information it receives from the first firewall.

 

Greatings and thanks for your help.

472
0 Kudos
xshkurti
Staff
Staff
In response to APV

Created on ‎08-21-2024 03:31 AM

@APV 

Basically, the output sates that there are 43 TCP sessions established.
If you execute the same command on secondary unit, you will see some sessions established there as well. That would mean that both devices are handling traffic.
"In A-A HA environment, both devices should process traffic."  With this I mean that both devices are handling traffic.
A great network diagram explaining how traffic is distributed between nodes is below:

FortiGate HA A-A cluster - 3-way TCP hand... - Fortinet Community

A 3-Way handshake is taken as an example to demonstrate how traffic flows between FortiGates and Switches.

Hope that this clarifies your questions

470
APV
New Contributor II
In response to xshkurti

Created on ‎08-21-2024 04:55 AM

Thanks for your answer again, I understood and I've verified the sessions in both firewalls so basically both are works great. Thx for all.

verify.jpg

Greatings and have a good day ;)

 

422
0 Kudos
xshkurti
Staff
Staff
In response to APV

Created on ‎08-21-2024 05:00 AM

Thanks @APV and happy that I could help you.
Have a nice time.

418
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.