Hi all!
I have a simple questoin about HA-cluster settings.
We have 2 Fortigate 92D in active-passive mode (Master=№1, Slave=№2)
The FortiOS version is v6.0.11 build0387 (GA) on both devices.
Recently, I have found that my Fortigate 92D №1 didn't become a Master after rebooting or restoring connections.
I had to return the Master role to first Fortigate 92D manually.
As I understand it, by default, elections inside the HA cluster are launched every 5 minutes.
Is that something wrong with my configuration?
That's is a Master(№1) config:
config system ha
set group-id 10
set group-name "HAGroup1"
set mode a-p
set password ENC *****************************
set hbdev "internal13" 50 "internal14" 50
set session-pickup enable
set override disable
set priority 150
end
The Slave(№2) config:
config system ha
set group-id 10
set group-name "HAGroup1"
set mode a-p
set password ENC *************************
set hbdev "internal13" 50 "internal14" 50
set session-pickup enable
set override disable
set priority 50
end
Solved! Go to Solution.
No. Election happens whenever some conditions changed. Without override, the predominant deciding factor is uptime if monitored interfaces are all up on both units. The unit that has the longest uptime becomes the master. However, if the difference of uptime is 5 min or less, they would look for the next factor; serial numbers. The unit with the highest serial number takes the master role. I think that's your case.
If you have to, you need to user override. But most cases it's not recommended even in FTNT documentation because if a problem happens on the master and they swapped over at that time, it has to swap back when the problem is resolved on the master. It would case two outages instead of one.
No. Election happens whenever some conditions changed. Without override, the predominant deciding factor is uptime if monitored interfaces are all up on both units. The unit that has the longest uptime becomes the master. However, if the difference of uptime is 5 min or less, they would look for the next factor; serial numbers. The unit with the highest serial number takes the master role. I think that's your case.
Thanks for the answer!
Should I set up "set override enable" on both sides to change the situation?
I want to see Fortigate №1 as Master every time when he appears in HA-cluster.
If you have to, you need to user override. But most cases it's not recommended even in FTNT documentation because if a problem happens on the master and they swapped over at that time, it has to swap back when the problem is resolved on the master. It would case two outages instead of one.
toshiesumi wrote:Well, Would the best solution be "set ovveride enable" only on the Master Fortigate to avoid the problem?If you have to, you need to user override. But most cases it's not recommended even in FTNT documentation because if a problem happens on the master and they swapped over at that time, it has to swap back when the problem is resolved on the master. It would case two outages instead of one.
Override won't work if only one has the config even if it's allowed. But that's not the point override is not recommended. There is no particular good reason one of them needs to be the master when it can. They're exactly the same units, including licenses, hardware revisions, etc. Shouldn't be a matter which one is elected.
It makes sense.
Thanks for the piece of advice.
The problem solved.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.