Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
modgod
New Contributor

Created on ‎08-21-2019 07:32 PM

HA A-P Cluster causing Loopback

Hi Guys and Gals,

 

Having some difficulty working out what best practices are for multiple switches in a HA A-P cluster.

 

At site 1 we have the following setup

 

https://imgur.com/bC2kNsT

 

At site 2 we have the following setup.

 

When I change site 1 to match site 2 we get a broadcast storm and another strange issue where the switch ports on the secondary fortigate start giving DHCP/internet access, needless to say things didnt work and we reverted to the original topology.

 

The only difference is STP is turned on in the hardware switch settings for the fortigate other than that everything else is the same. I've checked and I dont see a loop anywhere in the rack or on the floors. Why is this config that works at one site not working at another?

 

What is the best practice for an A-P cluster, if I have the switches connected like site 1 will clients connected to both switches retain network and internet access if the secondary fortigate takes over?

7023
0 Kudos
9 REPLIES 9
orani
Contributor II

Created on ‎08-21-2019 09:24 PM

Site 1 images does not show up

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
5095
0 Kudos
modgod
New Contributor
In response to orani

Created on ‎08-22-2019 02:13 AM

click on the link please, I could not get it to display in the thread.

5095
0 Kudos
KPS
New Contributor III

Created on ‎08-21-2019 11:41 PM

Hi!

 

Did you configure the links to the switches on each FG as A/P-Bond, or did you just switch them?

5095
0 Kudos
modgod
New Contributor
In response to KPS

Created on ‎08-22-2019 02:15 AM

the links to the swithes on each fortigate are just standard ports that are part of the hardware switch on the interfaces page.

 

how do I AP bond them, are you referring to a creating a redundant interface.

 

 

5095
0 Kudos
Markus
Valued Contributor

Created on ‎08-21-2019 11:52 PM

Hi In short, yes the secondary will take over, depending on the confgured monitors.

 

Best practices in A-P isn't to crosscabling the Fortigates.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-high-availability-52/HA_failover...

 

 

 


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Preview file
187 KB
5095
0 Kudos
KPS
New Contributor III
In response to Markus

Created on ‎08-21-2019 11:56 PM

Hi!

 

I would always prefer redundant cabeling. Using a failover-bond is easy and does not force a failover in case of a switch-reboot...

5095
0 Kudos
modgod
New Contributor
In response to KPS

Created on ‎08-22-2019 03:35 AM

could you give a diagram of this redundant cabling, when I cable things as per the fortinet diagram I get a loopback?

 

5095
0 Kudos
modgod
New Contributor
In response to modgod

Created on ‎08-23-2019 01:09 AM

Bump, been trying to get this question answered on and off for a year now, every time I pose the question, fortinet forums, reddit fortinet or elsewhere I get a flurry of b advice then silence.   Surely this cant be that complicated?
5095
0 Kudos
modgod
New Contributor
In response to Markus

Created on ‎08-22-2019 02:19 AM

Thanks for the diagram, can you explain the purpose of the third switch on the LAN side closest to the host machines.

 

So shuld I be putting a small switch in between each fortigate and our main LAN switch, how do I connect a second lan switch in this case?

 

I need two switches here as we have more than 48 patch ports to link up.

 

5095
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.