Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
farhang_gh
New Contributor

Created on ‎12-09-2018 01:48 AM

Active-Active HA Problem (Slave device is unreachable)

Dear guys,

We have two FortiGate 300E in an active-active cluster. HA port is up, configuration sync is OK and everything looks fine.

But the slave device is unreachable. We cannot ping any interface on slave device when directly connecting the slave device to laptop. Ping reply is "destination host is unreachable".

Then I enabled load-balance-all through command line, but same result.

Do you have any suggestion?

Thanks

 

7945
0 Kudos
1 Solution
ede_pfau
SuperUser
SuperUser

Created on ‎12-10-2018 01:55 PM

On the master unit, in CLI "exec ha manage 0" - can you login (telnet) across the HA link this way?

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
4016
0 Kudos
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

Created on ‎12-10-2018 01:55 PM

On the master unit, in CLI "exec ha manage 0" - can you login (telnet) across the HA link this way?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4017
0 Kudos
farhang_gh
New Contributor
In response to ede_pfau

Created on ‎12-10-2018 09:55 PM

Hi,

Yes I could.

3970
0 Kudos
farhang_gh
New Contributor
In response to farhang_gh

Created on ‎12-13-2018 01:40 AM

Any idea?

3970
0 Kudos
rdumitrescu
New Contributor III
In response to farhang_gh

Created on ‎12-13-2018 02:52 AM

Hi,

 

In a A/A cluster you a have a primary unit and a subordinate unit (Slave)

The subordinate unit is not meant to process arbitrary traffic but only the sessions that are offloaded to the subordinate unit by the primary unit.

In order words, the session setup always happen on the primary unit, then the primary unit can decide to offload the session to the subordinate unit.

 

Regards

Radu

3970
0 Kudos
farhang_gh
New Contributor
In response to farhang_gh

Created on ‎12-13-2018 03:22 AM

Hi,

Thanks for your answer, but even if I enabled load-balance-all? Or even by enabling sync packets?

In other words, no way for having two devices responsible to networks?

Thanks

3970
0 Kudos
rdumitrescu
New Contributor III
In response to farhang_gh

Created on ‎12-13-2018 07:59 AM

No, you cannot have two devices that actively process traffic.

The primary unit receive the traffic and decide to load-balance to other subordinate unit if the criteria is matched.

 

For better understanding you can find all the details under the section: HA and load balancing

https://docs.fortinet.com/uploaded/files/4304/fortigate-ha-60.pdf

 

Regards

Radu

3970
0 Kudos
lobstercreed
Valued Contributor
In response to rdumitrescu

Created on ‎12-13-2018 12:25 PM

What you *can* do is manage them using a special management interface as mentioned here:

 

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_operatingRes...

 

This is mainly so you can manage the second unit via GUI or for other monitoring(SNMP), but you can do what you need through CLI per Ede's response.

3970
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.