Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robinct
New Contributor

Fortigate HA a-p gets confused

Hi,

 

I inherited an active-passive setup of two 60E units. As I understand, each unit connects to a separate Cisco switch for redundancy.

 

This have been running great for a few years, but after the service provider conducted maintenance on their switches we started to have problems where the uplink switches and our firewalls didn't agree which uplink switch that would be the primary. The quick solution was to disconnect one of the uplink switches, to force the HA to select the proper unit on our side.

 

This obviously doesn't work in the long run. The service provider suggested we might look at LACP and which was recently released for the 60E unit.

 

Suggestions? Is there an easier solution?

3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

It depends on capability of upstream devices; switches and vendor router. But if the vendor router is capable for aggregates/LACP, as implied, and the Cisco switches are stackable, my prefered choice is always LACP between router<->stacked switches<->a/p FGT because of its simplicity (easy to maintain&troubleshoot) with enough redundancy.

Otherwise you need to maintain the full mesh set up, which you might have now.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/432823/full-mesh-ha-example

 

fcb

Did you ever get a resolution here? If they are suggesting link aggregation then that would indicate to me that their "maintenance" screwed something up.. If

 

FW1 (Active) ------> ISP Switch1

FW2 (Passive)------> ISP Switch2

 

If you're in a an Active/Passive FGT config then FW2 isn't doing much and whatever it's connecting to should be fine unless those two ISP switches are stacked, then they best be sure STP is on.

 

Let me ask what interfaces on the FGT's are handling the HA Heartbeats and syncing of the cluster? Are those ports plugged into the switch? Into both switches? If so, this is likely the issue. In my clusters the HA and Heartbeat interfaces are directly connected with an ethernet cable, they do not go into a switch.

rwpatterson
Valued Contributor III

The heartbeat interfaces should be directly connected if you only have two devices. Skip the overhead of a third party device.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors