Seeking your assistance in regards to the issue we encountered in building HA bet 2 FACs. Both FACs reachability over IPSeC VPN and remote FAC resides in OCI Cloud. In HQ FAC Status says connected but FAC on other side HA status stated its unreachable.
Initial steps to resolve the issues, verified that all ports are open in OCI Cloud, performed firmware upgrade but no avail.
Tried to reached out to TAC but TAC focus only for post-sales support activity. :)
Sending you screenshot of HA settings and status for reference.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Slave FAC generated these kinds of logs
2022-07-03-15:29:17 Join_ack: HA schema mismatch.
2022-07-03-15:31:17 Loadbalancer: Send join request to #1
2022-07-03-15:31:17 Loadbalancer: received join ack from #1
2022-07-03-15:31:17 Join_ack: HA schema mismatch.------< what does it mean?
my FAC running on same firmware
Hey R_F,
if you already tried to configure FortiAuthenticator and are running into issues, AND if your FortiAuthenticators have a support contract, you should still be able to open a ticket on your FortiAuthenticator ticket and request assistance.
-> you tried to configure according to available documentation
-> you are gettting unexpected errors
What TAC does NOT do is configure the FortiAuthenticator from scratch for you, but this is not what you're asking us to do, from what I can see.
Regarding the HA schema mismatch:
- have you double-checked that the configured HA password is correct on both units?
- in addition, there may be issues with fragmentation:
-> a load-balancing pair establishes an OpenVPN tunnel between themselves
-> if the traffic goes via an IPSec tunnel, you essentially have a VPN inside a VPN
-> it is something to keep an eye on, but it doesn't necessarily happen
Deat @Debbie_FTNT
reconfigured my setup just to feel and experience how the FAC HA really works. instead of both FAC seeing thru IPSEC, I installed both FAC on same subnet and redo their config from the scratch.
On Primary FAC configured HA settings
Chose Standalone Primary
Define password
Under LB defined FAC Slave IP
Now, on Slave FAC configured HA settings
Chose Load Balancer
Define password
Under LB defined FAC Primary IP
afther those changes, checked my HA status and I dont see any unusuall error or notif in FAC dashboard. To test my HA functionalities I created local user or group and it automatically replicated to my slave unit. looks fine and great! :)
Now when I defined my Radius and LDAP settings, why those changes didnt appeared in my slave unit?
I tried to refresh, rebuild tables and reconnect hoping the changes will appear in slave unit but no avail.
Any help is much appreciated.
Hey R_F,
great that the two units are now communicating!
Regarding the RADIUS and LDAP settings:
- these do NOT get synced in a load-balancing setup
- only some select items get synced in a load-balancing setup
- you can refer to this KB for details: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-configure-FortiAuthenticat...
-> essentially users and groups get synced, but nothing else (not even LDAP servers the users might have been imported from)
The point of a load-balancing setup is to have two essentially independent FortiAuthenicators (with their own RADIUS/LDAP/etc setup) that just have a shared user database
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.