Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

FortiGate Interface Monitoring HA Failover Not working

Hi All,

I've setup HA interface monitoring for FortiGate. When the link from primary unit down , the Firewall should Failover but it didn't failover and the primary unit still remain active regardless of the links fail.

I tried removing both FortiGate from HA and reconfigured and tested but still the same , the HA failover is not happening.  Are there any possibilities that could prevent from FortiGate Interface Monitoring to be stopped working? We are using version 7.2.0 .

K7SRA1ITFWFG03 (global) # get system ha
group-id : 12
group-name : HA-Group
mode : a-p
sync-packet-balance : disable
password : *
hbdev : "port21" 50 "port16" 22
session-sync-dev :
route-ttl : 10
route-wait : 0
route-hold : 10
multicast-ttl : 600
sync-config : enable
encryption : disable
authentication : disable
hb-interval : 2
hb-interval-in-milliseconds: 100ms
hb-lost-threshold : 6
hello-holddown : 20
gratuitous-arps : enable
arps : 5
arps-interval : 8
session-pickup : disable
link-failed-signal : disable
uninterruptible-upgrade: enable
uninterruptible-primary-wait: 30
standalone-mgmt-vdom: disable
ha-mgmt-status : enable
== [ 1 ]
id: 1
ha-eth-type : 8890
hc-eth-type : 8891
l2ep-eth-type : 8893
ha-uptime-diff-margin: 300
override : disable
priority : 150
monitor :"Port-channel100" "Port-channel102"
vcluster-status : disable
ha-direct : disable
ssd-failover : disable
memory-compatible-mode: disable
memory-based-failover: disable
failover-hold-time : 0
logical-sn : disable
override-wait-time : 0
pingserver-failover-threshold: 0
pingserver-secondary-force-reset: enable


When the link is down, check "get sys ha status". If either side of HA units detected the monitoring interface down it should show like below at the top of the output.


HA Health Status:

    WARNING: <serial_number> has mondev down;


I noticed you're monitoring two "port-channel"s and I'm assuming two of more connections are bound together. If only one connection goes down, the "link" doesn't go down. When you test, you need to pull all cables out in the "port-channel" or LAG.



Top Kudoed Authors