Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
EvanRaci
New Contributor III

Created on ‎03-11-2023 06:55 AM Edited on ‎03-11-2023 06:56 AM

FortiGate Interface Monitoring HA Failover Not working

Hi All,

I've setup HA interface monitoring for FortiGate. When the link from primary unit down , the Firewall should Failover but it didn't failover and the primary unit still remain active regardless of the links fail.

I tried removing both FortiGate from HA and reconfigured and tested but still the same , the HA failover is not happening.  Are there any possibilities that could prevent from FortiGate Interface Monitoring to be stopped working? We are using version 7.2.0 .

K7SRA1ITFWFG03 (global) # get system ha
group-id : 12
group-name : HA-Group
mode : a-p
sync-packet-balance : disable
password : *
hbdev : "port21" 50 "port16" 22
session-sync-dev :
route-ttl : 10
route-wait : 0
route-hold : 10
multicast-ttl : 600
sync-config : enable
encryption : disable
authentication : disable
hb-interval : 2
hb-interval-in-milliseconds: 100ms
hb-lost-threshold : 6
hello-holddown : 20
gratuitous-arps : enable
arps : 5
arps-interval : 8
session-pickup : disable
link-failed-signal : disable
uninterruptible-upgrade: enable
uninterruptible-primary-wait: 30
standalone-mgmt-vdom: disable
ha-mgmt-status : enable
ha-mgmt-interfaces:
== [ 1 ]
id: 1
ha-eth-type : 8890
hc-eth-type : 8891
l2ep-eth-type : 8893
ha-uptime-diff-margin: 300
override : disable
priority : 150
monitor :"Port-channel100" "Port-channel102"
pingserver-monitor-interface:
vcluster-status : disable
ha-direct : disable
ssd-failover : disable
memory-compatible-mode: disable
memory-based-failover: disable
failover-hold-time : 0
logical-sn : disable
override-wait-time : 0
pingserver-failover-threshold: 0
pingserver-secondary-force-reset: enable

Labels:
6718
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-11-2023 09:37 AM

When the link is down, check "get sys ha status". If either side of HA units detected the monitoring interface down it should show like below at the top of the output.

 

HA Health Status:

    WARNING: <serial_number> has mondev down;

 

I noticed you're monitoring two "port-channel"s and I'm assuming two of more connections are bound together. If only one connection goes down, the "link" doesn't go down. When you test, you need to pull all cables out in the "port-channel" or LAG.

 

Toshi

6701
Simo94
New Contributor
In response to Toshi_Esumi

Created on ‎03-06-2025 04:55 PM

Hello,

 

I have the same issue with vm cluster of fortigate. When i try to test if link failover is happening by administratively taking down a monitored interface like port1 on the primary fortigate, the odd thing is that the failover doesnt happen and also the  port1 that I took down on the primary gets also automatically taking down on the secondary and causes a complete denial of service it s synchronizing the state of the monitored interface into the secondary member. One members monitored interface goes down it takes it down also on the other member. o_O

omis94
omis94
103
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Simo94

Created on ‎03-06-2025 05:34 PM Edited on ‎03-06-2025 05:36 PM

Of course, that's expected. You can't simulate the connection down by "changing config" in HA. You have to pull the cable. Or shut down the interface on the opposite side (switch side?) of the cable.

Toshi

95
Simo94
New Contributor
In response to Toshi_Esumi

Created on ‎03-06-2025 05:41 PM

Hi Toshi,

 

thank you for your response.

 

we have the the fortigate vms Connected to virtual switch and we disconnect the link between the monitored interface and the switch and no failover happened. I also left the link connected and took down the switch interface that is connected to the monitored interface of the primary fortigate and no failover happened. I just couldnt trigger failover with monitored interfaces in a virtual environment.

 

version 7.0

omis94
omis94
85
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Simo94

Created on ‎03-06-2025 08:29 PM Edited on ‎03-06-2025 08:32 PM

Not sure if the regular monitoring method (L1/L2) would work in your VM environment. Did you check "get sys ha status" I posted above and saw "WARNING"? I assumed the original poster's case was NOT a VM. Then your case is NOT the same despite you claimed the same. That's why I don't like someone stealing/highjacking somebody else's post.

If you didn't see "WARNING" when you tried to replicate the down situation, the detection method doesn't work. Then, you likely need to set up a ping method to let the FGT-VM to detect the link down. This is one of KBs:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-set-HA-ping-server-threshold/ta-p/1...
You can experiment by tweaking some parameters to find the best way to meet your expectation of HA failover behavior. You need to keep checking "get sys ha status" to see what & when it detected and triggered the primary selection procedure.

Toshi

46
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.