Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

HA Active-Active Setup with redundant ISP, Switch, FSSO agent

Hi there!

Need some advice for our new upcoming setup & configuration.

I'd like to know if this setup is OK and would not cause any problems, especially things like lost internet connection, sessions issues, loops, spanning tree issues, failover issues, etc etc. Appreciate for any comments/remarks on the configuration that potentially causes such issues.


















Basic configuration details, 

Fortigate Configuration
Mode: Active-Active
Priority: 100/50
Session pickup: enabled
Monitor: port1, port2, HA
Hearbeat: HA

SDWAN: WAN1, WAN2, Load Balance
FSSO Agent: AD1, AD2 with LDAP


Switch Configuration
interface Port-channel1
desc Fortigate1
switchport mode trunk


interface Port-channel2
desc Fortigate2
switchport mode trunk


interface range Gi1/0/1-2
desc Fortigate-Pair1
switchport mode trunk

channel-group 1 mode active


interface range Gi2/0/1-2
desc Fortigate-Pair2
switchport mode trunk
channel-group 2 mode active



Valued Contributor


My advice:

- Add secondary HA

- Add link monitor for port-1-2

- There is no possible loop here

- Plus a personal advice: Prefer active-passive, unless active-active is really required




If active active configuration is needed, you must look into connecting a switch between the FGT & ISP devices. 


Have a look at the traffic flow to help decide:






In addition to the excellent advice by AEK and vponmuraj:

-> Redundant FSSO Collector Agents don't quite act the same as for example a FortiGate cluster

-> They do NOT sync large parts of their config, so you should always verify on each Collector Agent that they have the same config (polling/DC Agent mode; advanced/standard AD mode, same domains, monitoring same domain controllers, etc)

-> The Collector Agents should show the same user logins (the logins do not get synced; both Collector Agents should get the same information and process it the same however)

-> The primary FortiGate will communicate with one Collector Agent; when that one becomes unavailable, it will switch to the second

-> It will stick with the second Collector Agent even if the first becomes available again; FortiGate will remain with the second Collector Agent until that one becomes unavailable, and then the firewall will switch to the next available Collector Agent, and stick with that again, etc

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++