Hi,
I inherited an active-passive setup of two 60E units. As I understand, each unit connects to a separate Cisco switch for redundancy.
This have been running great for a few years, but after the service provider conducted maintenance on their switches we started to have problems where the uplink switches and our firewalls didn't agree which uplink switch that would be the primary. The quick solution was to disconnect one of the uplink switches, to force the HA to select the proper unit on our side.
This obviously doesn't work in the long run. The service provider suggested we might look at LACP and which was recently released for the 60E unit.
Suggestions? Is there an easier solution?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It depends on capability of upstream devices; switches and vendor router. But if the vendor router is capable for aggregates/LACP, as implied, and the Cisco switches are stackable, my prefered choice is always LACP between router<->stacked switches<->a/p FGT because of its simplicity (easy to maintain&troubleshoot) with enough redundancy.
Otherwise you need to maintain the full mesh set up, which you might have now.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/432823/full-mesh-ha-example
Did you ever get a resolution here? If they are suggesting link aggregation then that would indicate to me that their "maintenance" screwed something up.. If
FW1 (Active) ------> ISP Switch1
FW2 (Passive)------> ISP Switch2
If you're in a an Active/Passive FGT config then FW2 isn't doing much and whatever it's connecting to should be fine unless those two ISP switches are stacked, then they best be sure STP is on.
Let me ask what interfaces on the FGT's are handling the HA Heartbeats and syncing of the cluster? Are those ports plugged into the switch? Into both switches? If so, this is likely the issue. In my clusters the HA and Heartbeat interfaces are directly connected with an ethernet cable, they do not go into a switch.
The heartbeat interfaces should be directly connected if you only have two devices. Skip the overhead of a third party device.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.