I just recently setup HA load-balancing between two FACs and wanted to share some notes regarding the ordeal.
Both systems are VMs, running 4.3.2. The first system (master) has been in production for about a year now, and I finally got the chance to configure a HA slave for it. They are in remote data centers, with no L2 inter-connect so the load-balancing method was chosen since it allows for L3 connectivity. Primary use case is remote authentication using FortiToken Mobile, with both remote RADIUS and LDAP users. The FACs act as RADIUS servers for FortiGates.
Licensing Requirements
For both units you will need the following licensing:
[ul]You need a single license for these. Ie, these are registered to the master unit only:
[ul]
Communication Between HA Units
[ul]Settings Not Synchronized
The admin guide does state in HA load-balancing deployment, not all settings are sync'd. It states:
Only the following authentication related features can be synchronized:
> Token and seeds
> Local user database
> Remote user database
> Group mappings
> Token and user mappings
Other features, such as FSSO and certificates, cannot be synchronized between devices.
Since the Remote user DB is synchronized, one would assume that the remote authentication servers these users source from would also be synchronized, but this did not happen on my system.
After establishing the HA cluster the following things did not automatically sync up:
User Groups Remote LDAP Users LDAP Group Membership RADIUS Group Membership Group RADIUS Attributes
They all showed as synced with anomalies. The error details for the User Groups were:
Insert operation failed: Foreign key error: Entry for name=DOMAIN.COM not found in ldap_remoteldap on local server.
Insert operation failed: Foreign key error: Entry for name=RADIUS-SERVER not found in nas_radiusserver on local server.
After manually defining my remote RADIUS and LDAP servers all of these errors cleared.
BUT - that was not enough to get the HA system ready for traffic.
These are all of the things I had to manually redefine on the HA slave:
[ul]After replicating those things manually, the HA slave did work for remote authentication.
Issues Seen The First Try
The first time I setup the HA cluster, the primary unit did not work for remote authentication requests. Other than the HA sync errors detailed above, the logs indicated that the remote RADIUS secret was invalid. Even after manually changing on both sides (Microsoft NPS and FortiAuthenticator) the error persisted.
I ended up restoring from backup on the master and rebooting, and it worked again.
Two things are notable here:
[ul]
Suggestions for HA Deployment for In-Production Systems
The second time I tried, it worked fine (other than the things that didn't automatically sync up). These are the steps I took that worked, and what I would suggest if you are going to turn a single-threaded FAC system already in production into a HA load-balancing cluster.
Preparation:
[ul]
Deployment:
[ul]
Remaining Issues
The only outstanding issue I can see right now is an error about FTM server credentials. It is only happening on the slave unit, not the master. I will open a ticket with FTAC and report back if I find a solution.
The log message is:
FTM server credentials: Update Failed
FortiGuard FTM Push Notification Update
Logs communication with FortiGuard regarding FTM push notification services
And is happening about every hour. I confirmed the system can reach out to FortiGuard, and the second system is licensed properly, so I am not sure what the issue is.
Solved! Go to Solution.
An SE confirmed that manually replicating those objects is expected behavior. He is going to talk to the PM to see if there are plans to automatically sync that stuff up in a future release, when using the load-balancing method.
An SE confirmed that manually replicating those objects is expected behavior. He is going to talk to the PM to see if there are plans to automatically sync that stuff up in a future release, when using the load-balancing method.
Hi,
Do i absolutely need separate HA port in VM environment?
1984
-1984-
Great post, thank you. You mentioned "Unassign and delete any trial tokens." I am getting an error stating this is an issue but am not seeing how to find the trial tokens, or how to remove the license. Mind sharing the specifics? Thank you!
Inside of the FAC, browse to here:
Authentication > User Management > FortiTokens
You should see them there, listed as trial tokens, and be able to delete them.
You might also want to look under:
System > Administration > FortiGuard > FortiToken Mobile Provisioning
I believe when trial tokens are still enabled, you can disable them there.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.