Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Prometheus
New Contributor II

Devices unreachable after setting active-active

Hi,

 

I have two FortiADC's running the latest firmware 5.0.1. I setup both devices with default values and after this initial setup I configured active-active on them. After the active-active setting the GUI is unreachable and the devices cannot be pinged. Checking using putty and the console cable I found out that the HA config is working fine the something in the network got messed-up. The device ant even ping itsself. 

 

I tried to view whats in the IPtables routing table but I was unable to list it. Changing the devices IP address (hoping it would reregister) did not have any effect. When you breakup the HA to standalone the devices resolve to normal and function again. Active-Passive seems to work as well.

 

Anyone got some ideas of how to deal with this? I already created a ticket but still though it to be wise to also ask the question here.

4 REPLIES 4
Prometheus
New Contributor II

Ok here is what I did wrong, and I found out using help from Fortinet. I put the IP on the interface which doesnt work anymore after Active-Active is setup. After Active-Active setup you must remove the IP from the interface and on each device create a management IP (each device diffrent IP).

boneyard
Valued Contributor

Thanks for reporting back Prometheus. Are you using Active-Active or Active-Active-VRRP? with Active-Active all documentation points to different IPs on the FortiADCs, so how is that possible if you can't use Interface IPs?

Prometheus
New Contributor II

Hi Boneyard,

 

In the ADC from the GUI you go to Network > Interface, and here you can give up what the IP address of each port should be. But you have to leave this untouched, there is an specific setting for management IP. You can say management port is port1 and management IP is x.x.x.x then management is only possible on that specific port and IP but you can still fully use port1 for other functionalities.

 

So the management IP is more of a virtual IP on top of the selected port.

boneyard
Valued Contributor

i don't fully agree. if i put an mgmt IP on that port, i can't use a same IP range for the actual IP.

 

i don't see the use of two different IPs with routing requirements and such on the same interface. what is it doing extra?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors