Seeking your assistance in regards to the issue we encountered in building HA bet 2 FACs. Both FACs reachability over IPSeC VPN and remote FAC resides in OCI Cloud. In HQ FAC Status says connected but FAC on other side HA status stated its unreachable.
Initial steps to resolve the issues, verified that all ports are open in OCI Cloud, performed firmware upgrade but no avail.
Tried to reached out to TAC but TAC focus only for post-sales support activity. :)
Sending you screenshot of HA settings and status for reference.
2022-07-03-15:29:17 Join_ack: HA schema mismatch. 2022-07-03-15:31:17 Loadbalancer: Send join request to #1 2022-07-03-15:31:17 Loadbalancer: received join ack from #1 2022-07-03-15:31:17 Join_ack: HA schema mismatch.------< what does it mean?
if you already tried to configure FortiAuthenticator and are running into issues, AND if your FortiAuthenticators have a support contract, you should still be able to open a ticket on your FortiAuthenticator ticket and request assistance.
-> you tried to configure according to available documentation
-> you are gettting unexpected errors
What TAC does NOT do is configure the FortiAuthenticator from scratch for you, but this is not what you're asking us to do, from what I can see.
Regarding the HA schema mismatch:
- have you double-checked that the configured HA password is correct on both units?
- in addition, there may be issues with fragmentation: -> a load-balancing pair establishes an OpenVPN tunnel between themselves -> if the traffic goes via an IPSec tunnel, you essentially have a VPN inside a VPN
-> it is something to keep an eye on, but it doesn't necessarily happen
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
reconfigured my setup just to feel and experience how the FAC HA really works. instead of both FAC seeing thru IPSEC, I installed both FAC on same subnet and redo their config from the scratch.
On Primary FAC configured HA settings
Chose Standalone Primary
Under LB defined FAC Slave IP
Now, on Slave FAC configured HA settings
Chose Load Balancer
Under LB defined FAC Primary IP
afther those changes, checked my HA status and I dont see any unusuall error or notif in FAC dashboard. To test my HA functionalities I created local user or group and it automatically replicated to my slave unit. looks fine and great! :)
Now when I defined my Radius and LDAP settings, why those changes didnt appeared in my slave unit?
I tried to refresh, rebuild tables and reconnect hoping the changes will appear in slave unit but no avail.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.