Hello everyone,
we have recently bought two Fortigate 100f Firewall and set them Active Passive HA mode.
One would expect 1 Firewall to be active and 1 to passive, as the name suggests. But it looks like both are active?
The thing is, if I attach a Layer2 Switch with an IP address to FW1, it works and I can ping it. Just like expected.
If I connect the same Switch to FW2 only, it works and I can ping it. Strange, because FW1 is active?
If I connect the same Switch to FW1 and FW2 (for redundancy) my networks goes down, my laptop hangs and I cannot ping a thing. So looks like a double IP address issue.
So what am i doing wrong? Or do I not get how Active-Passive is suppose to work?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Can you confirm what layer 2 switches you are using stack switch or separate switch.
side by side can you confirm those interfaces are getting monitered.
The two swtiches are seperate switches.
One is 10.10.10.5 and the other one is 10.10.10.6
Yes, all interfaces are monitored
How are switch1 and Switch 2 connected?
From where are you testing/initiating traffic?
When you disconnect cable from the active node, is there a failover due to monitored interface going down?
We have FW1 and FW2 connected to eachother with UTP via HA1 and HA2.
We have FW1 and FW2 connected to a simple 5Port Switch for Internet with UTP via WAN1
We have FW1 connected to Switch 1 with UTP via port 5 and to Switch 2 with UTP via port6
As soon as I plug in FW2 to Switch 1 with UTP via port 5 and to Switch 2 with UTP via port6 everything goes down and starts flapping.
And the strange thing is (in my opinion) it doesnt matter to which FW I connect the Switch. They will both be available and connected. But as soon as I connect 1 Switch bot both FW's it's goes wrong
Before you hook up one switch to both HAed FGTs, what do you see in "get sys ha status"? Please share us the key parts of the output.
<edit>I mean on both FGTs.</edit>
Toshi
SAB-IJS-FW-HA-01 # get sys ha status
HA Health Status: OK
Model: FortiGate-100F
Mode: HA A-P
Group Name: SAB-OT-HA
Group ID: 0
Debug: 0
Cluster Uptime: 106 days 5:7:36
Cluster state change time: 2023-07-12 13:52:45
Primary selected using:
<2023/07/12 13:52:45> vcluster-1: FG100FTK22034583 is selected as the primary because EXE_FAIL_OVER flag is set on peer member FG100FTK22034641.
<2023/07/12 13:52:45> vcluster-1: FG100FTK22034583 is selected as the primary because it's the only member in the cluster.
<2023/07/12 13:36:54> vcluster-1: FG100FTK22034583 is selected as the primary because EXE_FAIL_OVER flag is set on peer member FG100FTK22034641.
<2023/07/12 13:36:53> vcluster-1: FG100FTK22034583 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Primary : SAB-IJS-FW-HA-01, FG100FTK22034583, HA cluster index = 1
Secondary : SAB-IJS-FW-HA-02, FG100FTK22034641, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG100FTK22034583, HA operating index = 0
Secondary: FG100FTK22034641, HA operating index = 1
----------
SAB-IJS-FW-HA-02 # get sys ha status
HA Health Status: OK
Model: FortiGate-100F
Mode: HA A-P
Group Name: SAB-OT-HA
Group ID: 0
Debug: 0
Cluster Uptime: 106 days 5:15:23
Cluster state change time: 2023-07-12 13:36:55
Primary selected using:
<2023/07/12 13:36:55> vcluster-1: FG100FTK22034583 is selected as the primary because EXE_FAIL_OVER flag is set on peer member FG100FTK22034641.
<2023/07/12 13:36:55> vcluster-1: FG100FTK22034641 is selected as the primary because it's the only member in the cluster.
<2023/07/12 13:36:51> vcluster-1: FG100FTK22034583 is selected as the primary because EXE_FAIL_OVER flag is set on peer member FG100FTK22034641.
<2023/07/12 13:36:39> vcluster-1: FG100FTK22034641 is selected as the primary because it's the only member in the cluster.
ses_pickup: enable, ses_pickup_delay=disable
override: disable
Secondary : SAB-IJS-FW-HA-02, FG100FTK22034641, HA cluster index = 0
Primary : SAB-IJS-FW-HA-01, FG100FTK22034583, HA cluster index = 1
number of vcluster: 1
vcluster 1: standby 169.254.0.2
Secondary: FG100FTK22034641, HA operating index = 1
Primary: FG100FTK22034583, HA operating index = 0
You probably fogot to unset forced failover.
But otherwise it looks normal HA-wise.
Just unset the failover, then try hooking up one switch to port5 on both FGTs then quickly check this HA status again.
Looks like you hid "Configuration Status:" part as well but before testing again, make sure both are "in-sync" each other.
Toshi
In an Active-Passive High Availability (HA) setup with FortiGate firewalls, only one firewall should be active at any given time, while the other remains passive, ready to take over in case of a failure. It seems like there may be a misconfiguration or issue with your HA setup. Here are a few things to consider and troubleshoot:
1. HA Configuration: Verify that you have correctly configured the firewalls for HA. Ensure that you have designated one firewall as the primary (active) unit and the other as the secondary (passive) unit. Check that the HA heartbeat interface is properly configured and connected between the firewalls.
2. HA Synchronization: Confirm that the HA synchronization is working correctly. The active unit should synchronize its configuration, policies, and session information to the passive unit. Check the HA synchronization status and logs to ensure there are no errors or discrepancies.
3. Interface Configuration: Review the interface configurations on both firewalls. Ensure that the interfaces connected to your Layer 2 switch are properly configured and assigned to the correct zones or VLANs. Verify that the interface states and link status are correct.
4. IP Address Conflict: It seems like there might be an IP address conflict when you connect both firewalls to the switch. Check the IP address assignments for the interfaces on each firewall. Ensure that there are no duplicate IP addresses or overlapping subnets. Each firewall should have unique IP addresses assigned to its interfaces.
5. Switch Configuration: Review the configuration of the Layer 2 switch. Ensure that it is not causing any issues with the firewall connectivity or creating a loop in the network. Check for any spanning tree protocol misconfigurations or loop prevention mechanisms that could be affecting the network.
6. Log Analysis: Check the firewall logs for any error messages, warnings, or indications of a problem. Look for any HA-related messages or network connectivity issues that could provide insight into the cause of the problem.
If you have gone through these troubleshooting steps and the issue persists, it is recommended to reach out to Fortinet support or consult with a network specialist who can further analyze your HA configuration and assist in resolving the problem.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.