Hi,
We're running a pair of 1000C's in A-P (v5.0,build3608 (GA Patch 7)).
We currently manage both FW's using MGMT1 with one dedicated IP.
Does anyone how to give the primary and secondary separate dedicated MGMT IP's ?
I'd like to use MGMT 1 on Primary and MGMT 2 on secondary - each with a different IP address.
Thanks,
PJ
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello mark9885,
I 've had the same error.
In my case, this error has been resolved by deleting :
- static route associated to mgmt
- source-ip setting in the syslog server config
Maybe that the error could appear if the mgmt interface is part of firewall policies, this error could appear to.
I guess that the interface has not to be part of a specific configuration before to be used as reserved management interface.
You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.
Config sys ha
set ha-mgmt-status enable set ha-mgmt-interface xx set ha-mgmt-interface-gateway x.x.x.x
end
Thanks Jeff!!!
il get a change scheduled and test this out.
Jeff_FTNT wrote:You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.
Config sys ha
set ha-mgmt-status enable set ha-mgmt-interface xx set ha-mgmt-interface-gateway x.x.x.x
end
Hi Jeff,
Sorry for hijacking this thread :).
Can you help or provide best practice on how to upgrade FGT 1240B in A-A and A-P. My client wants a smooth upgrade or no downtime as possible since they are airlines company.If my memory sevrves well they are using ver 4.0 MR2 Patch X, I am planning to upgrade to ver 4.0 MR3 Patch X.
In my own lab using FWF 60C simulated HA in A-A, seems I cant perfect to upgrade the firmware without downtime or interruption.Been read the admin guide and other posts seems I cant accomplished it.
Assuming, upgrade of firmware goes well. Since they are using FSSO for authentication, do I need to uninstall the old FSSO and install the new one or just installing new version of FSSO without reinstalling the old version?
Regards
Fortigate Newbie
hey Jeff
Does this change asks for reboot . ( it shouldnt " / wanted to be double sure before putting this change in prod )
exp0
Jeff_FTNT wrote:You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.
Config sys ha
set ha-mgmt-status enable set ha-mgmt-interface xx set ha-mgmt-interface-gateway x.x.x.x
end
It will not ask for reboot,thanks
ggosain wrote:hey Jeff
Does this change asks for reboot . ( it shouldnt " / wanted to be double sure before putting this change in prod )
exp0
Jeff_FTNT wrote:You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.
Config sys ha
set ha-mgmt-status enable set ha-mgmt-interface xx set ha-mgmt-interface-gateway x.x.x.x
end
Hi Fullmoon,
HA have a option:set uninterruptable-upgrade {disable | enable}
You may try it in LAB with "set uninterruptable-upgrade enable". Before upgrade, it is better to back up setting.
For FSSO, no need any change, the user information will get from Windows AD server after upgrade. Hope it have some help, thanks.
Jeff_FTNT wrote:Hi Fullmoon,
HA have a option:set uninterruptable-upgrade {disable | enable}
You may try it in LAB with "set uninterruptable-upgrade enable". Before upgrade, it is better to back up setting.
For FSSO, no need any change, the user information will get from Windows AD server after upgrade. Hope it have some help, thanks.
I Jeff thank you for your reply. I guess by default "set uninterruptable-upgrade" was set to Enable. In my lab tried to upgrade my HA A-A couple of times with same effect.
Pls correct me if Im wrong if these procedure are correct, In my lab, updating my HA A-A thru GUI and to get a better picture whats going on behind my slave unit connect my console cable and seems updating works fine,I had a computer continuesly pinging to fortigate local ip and www.yahoo.com to check if theres any lose or rto's. Wait for a couple of minutes, then upgrade the firmware of the Master unit thru GUI, heres what I found out, seems Slave unit takes time to kick-in while the Master unit is the process of firmware upgrade. And I got 5-10 rto's before everything backs to normal.
Heres my HA settings for better picture
system hagroup-id : 0 group-name : FGT-HA mode : a-a password : * hbdev : "internal1" 50 session-sync-dev : route-ttl : 10 route-wait : 0 route-hold : 10 sync-config : enable encryption : disable authentication : disable hb-interval : 2 hb-lost-threshold : 6 helo-holddown : 20 arps : 5 arps-interval : 8 session-pickup : enable session-pickup-connectionless: disable session-pickup-delay: disable update-all-session-timer: disable session-sync-daemon-number: 1 link-failed-signal : disable uninterruptable-upgrade: enable ha-mgmt-status : enable ha-mgmt-interface : internal5 ha-mgmt-interface-gateway: 0.0.0.0 ha-eth-type : 8890 hc-eth-type : 8891 l2ep-eth-type : 8893 ha-uptime-diff-margin: 300 vcluster2 : disable vcluster-id : 1 override : disable priority : 128 schedule : round-robin monitor : "internal4" "wan1" pingserver-monitor-interface: pingserver-failover-threshold: 0 pingserver-flip-timeout: 60 vdom : "root" load-balance-all : disable
Fortigate Newbie
"then upgrade the firmware of the Master unit thru GUI, heres what I found out, seems Slave unit takes time to kick-in while the Master unit is the process of firmware upgrade."
Did you upgrade from Slave GUI firstly ?
For upgrade, we just login from Master GUI and do upgrade. Master will send image to Slave and upgrade, Master wait for Slave finish upgrade, then upgrade itself. Thanks.
Hi Jeff
The working mechanism of 'uninterruptable-upgrade' if ENABLED is as follows - I log into the webgui - the webgui will show me the master - I uploaded the firmware to the master - the master will transfer the firmware to the slave using the heartbeat cable - the slave will perform the firmware upgrade first - during the slave upgrade, there will be no downtime because the master is still up - when the slave is up,---------- The Master Unit didnt perform firmware upgrade this is the portion where I am lost. I can't comprehend why my Master unit didn't performing firmware upgrade. After the Slave successfully upgraded and totally UP, I waited for almost 10 mins or more to check what would happen next but it seems in GUI Master didn't initiate firmware upgrade until i forced to upload manually the firmware to Master unit. Can you spot my error why my Master didn't update its firmware after Slave successfully updated?
thanks
Fortigate Newbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.