Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

Created on ‎06-10-2025 06:23 AM

FortiGate HA active-active traffic flow doubt

Hi community,

 

Looking at the following post, it seems FGT-1 sends the SYN to FGT-2 through the LAN switch.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-A-A-cluster-3-way-TCP-handsha...

 

In the following situation, what happens if link 1 goes down? The SYN cannot be distributed from FGT-1 to FGT-2, then does the active-active configuration stop working? If not, what happens?

 

fjulianom_0-1749561572081.png

 

Regards,

Julián

208
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎06-10-2025 07:56 AM

Hi Julian

If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

AEK

View solution in original post

AEK
192
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎06-10-2025 07:56 AM

Hi Julian

If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

AEK
AEK
193
fjulianom
New Contributor III
In response to AEK

Created on ‎06-10-2025 10:51 AM

Hi AEK,

 

If link 1 goes down even syn from client will not reach the primary FW, the default gateway of the client will simply not be reachable anymore. In that case the active-active HA still works but is useless, since your client network is just isolated from the rest of the world.

But if my client network is isolated from the rest of the world is like that active-active HA doesn't work.

 

I think the best to do is to set link 1 as monitored interface in your HA config, so the primary will fail-over when link 1 goes down.

Good point, if primary fails-over when link 1 goes down, now the default gateway will be reachable. In that case the clients will not be isolated, but there will not be load balance because the new primary will not be able to forward packets to the new secondary through the switch because link 1 is down. Is that right?

 

Regards,

Julián

166
0 Kudos
AEK
SuperUser
SuperUser
In response to fjulianom

Created on ‎06-10-2025 02:24 PM

FortiGate's active-active is not like Forcepoint's.

FGT's active-active is not a true active-active, here only one FGT (the primary) will receive the packets from client, while the secondary active will receive some offloading from primary only, but nothing from the client.

In case your link 1 is down, if the primary doesn't fail over then your network is isolated. Once it fails over then the clients will see their gateway again through link 2.

AEK
AEK
143
fjulianom
New Contributor III
In response to AEK

Created on ‎06-10-2025 11:08 PM

Hi AEK,

 

Yes, I understand. But in case we monitor link 1 and primary fails over, there will not be load balance because primary will not be able to forward packets to secondary through switch, is that right?

 

Regards,

Julián

121
0 Kudos
AEK
SuperUser
SuperUser
In response to fjulianom

Created on ‎06-11-2025 02:12 AM

Hi Julian

 

According to the tech tip you shared I fully agree with you.

You can also check this page to understand more how A-A HA works.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/966077/ha-and-load-balancing

 

On the other hand, personally in all my integrations I never used FGT in A-A HA mode since I'm still not convinced of its added value. I always set it up in A-P HA, and sometimes with virtual clustering when I have VDOMs in order to avoid having unemployed nodes, and because I think virtual clustering can be more efficient than A-A HA.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/599385/ha-virtual-cluster-se...

Hope it helps.

AEK
AEK
100
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.