Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
R_F
Contributor

FAC HA unable to sync

Seeking your assistance in regards to the issue we encountered in building HA bet 2 FACs. Both FACs reachability over IPSeC VPN and remote FAC resides in OCI Cloud. In HQ FAC Status says connected but FAC on other side HA status stated its unreachable.

Initial steps to resolve the issues, verified that all ports are open in OCI Cloud, performed firmware upgrade but no avail.

 

Tried to reached out to TAC but TAC focus only for post-sales support activity. :)

 

Sending you screenshot of HA settings and status for reference.HA settings.jpgHA Status.jpg

4 REPLIES 4
R_F
Contributor

Slave FAC generated these kinds of logs

2022-07-03-15:29:17 Join_ack: HA schema mismatch.
2022-07-03-15:31:17 Loadbalancer: Send join request to #1
2022-07-03-15:31:17 Loadbalancer: received join ack from #1
2022-07-03-15:31:17 Join_ack: HA schema mismatch.------< what does it mean?

my FAC running on same firmware

Debbie_FTNT

Hey R_F,

if you already tried to configure FortiAuthenticator and are running into issues, AND if your FortiAuthenticators have a support contract, you should still be able to open a ticket on your FortiAuthenticator ticket and request assistance.

-> you tried to configure according to available documentation

-> you are gettting unexpected errors

What TAC does NOT do is configure the FortiAuthenticator from scratch for you, but this is not what you're asking us to do, from what I can see.

 

Regarding the HA schema mismatch:

- have you double-checked that the configured HA password is correct on both units?

- in addition, there may be issues with fragmentation:
-> a load-balancing pair establishes an OpenVPN tunnel between themselves
-> if the traffic goes via an IPSec tunnel, you essentially have a VPN inside a VPN

-> it is something to keep an eye on, but it doesn't necessarily happen

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
R_F
Contributor

Deat @Debbie_FTNT 

reconfigured my setup just to feel and experience how the FAC HA really works. instead of both FAC seeing thru IPSEC, I installed both FAC on same subnet and redo their config from the scratch.

On Primary FAC configured HA settings

Chose Standalone Primary

Define password

Under LB defined FAC Slave IP

 

Now, on Slave FAC configured HA settings

Chose Load Balancer

Define password

Under LB defined FAC Primary IP

 

afther those changes, checked my HA status and I dont see any unusuall error or notif in FAC dashboard. To test my HA functionalities I created local user or group and it automatically replicated to my slave unit. looks fine and great! :)

Now when I defined my Radius and LDAP settings, why those changes didnt appeared in my slave unit?

I tried to refresh, rebuild tables and reconnect hoping the changes will appear in slave unit but no avail.

Any help is much appreciated.

 

 

Debbie_FTNT

Hey R_F,

 

great that the two units are now communicating!

Regarding the RADIUS and LDAP settings:

- these do NOT get synced in a load-balancing setup

- only some select items get synced in a load-balancing setup

- you can refer to this KB for details: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-configure-FortiAuthenticat...

-> essentially users and groups get synced, but nothing else (not even LDAP servers the users might have been imported from)

The point of a load-balancing setup is to have two essentially independent FortiAuthenicators (with their own RADIUS/LDAP/etc setup) that just have a shared user database

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors