Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Silver
New Contributor

HA Active Active

Dear All,

Anyone can advise on this scenario.

My Fortinet appliance will be in HA active active and both will be connected to core switch in stackable. Their will be having LACP configured on the core switch to terminate to fortinet appliance.  As i know when we use active and passive in fortinet and with lacp configuration we need to create two separate ether channel group on the core switch one for firewall active and other one for firewall passive where it will not have issues on the traffic.  

 

My question for active active scenario do we need to keep the same configuration on the core switch or we can create only one ether channel.  

 

cable connection will be like follow, 

from fw 1= 4 cable ( 2 cable connected to core 1 and 2 cable connected to core 2 )

from fw 2 = 4 cable  ( 2 cable connected to core 1 and 2 cable connected to core 2 )

in active passive mode on core 1 and core 2 cable connected to fw1 i was configured alwys into one ether channel group and same for other fw

 

In active active it will remain the same config or what.

 

plz advise thanks

11 REPLIES 11
Dipen
New Contributor III

Hi

 

is your switch in Cisco VSS Configuration ?

 

Regards

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Silver
New Contributor

Hi thank you for your reply. Both my layer 3 switch 3750 in stack able 

Silver
New Contributor

On my fortinet appliance when i select active active mode. What priority do i need to configure on both unit. both should be having same priority like 255 on unit 1 and 255 on unit 2 or 255 on unit 1 and 128 on unit 2 with mode active active.

 

Thanks 

jintrah_FTNT

Hi,

 

The priority value is one of the factor used in determining a master unit among the cluster members. Ideally, one unit would be provided with a higher priority value which makes it master during an election process. If there is a tie, that is all the units in the cluster have the same priority value, then serial number of the unit is factored in the election. You may use 255 and 1 which would become master and slave respectively under ideal condition.

 

Regards,

Silver
New Contributor

Hi,

Thank you very much for your reply. If i understand in the active active mode we also have one which will act as master in the cluster same as active passive. but here in active active even one unit as master the traffic will pass via both unit as the mode iis active active right. the priority only use to make the unit with highest priority become the master. And per my understand if both priority are equal thus it will look for highest serial number right

Christopher_McMullan

With HA override disabled, the cluster uses priority when first electing a master:

1. Health of monitored links (none are monitored by default)

2. Uptime (differences of less than 300 seconds or 5 minutes by default are ignored)

3. Priority (default is 128)

4. Serial number as a tiebreaker (the highest wins)

 

With override enabled:

1. Health of monitored links

2. Priority

3. Uptime

4. Serial number

 

In Active-Passive, the master handles all traffic, and [optionally] synchronizes its configuration, and routing, session, and DHCP lease tables with the slave(s). In Active-Active, UTM proxied sessions are load-balanced (others can be as well, but not by default). HOWEVER...proxied sessions do NOT fail over. It's important to remember that.

 

A good rule of thumb, which sounds very Orwellian, is "master always in, slave sometimes out". The master always receives every packet inbound to the cluster, regardless of whether the session has been offloaded to the slave. If the slave unit(s) are processing the UTM session, then outbound packets would depart from the slave directly.

Regards, Chris McMullan Fortinet Ottawa

Silver

I would like to know about the LACP configuration for Active Active, Do we need to configure 2 separate PORT CHANNEL or can use a single PORT channel.

 

Thanks 

emnoc
Esteemed Contributor III

To separate  port-channels on each cluster unit.

 

e.g

config system interface     edit "FGTAE01"         set vdom "1plus1eq2"         unset allowaccess         set type aggregate         set member "port5" "port6"         set description "CHL 01 3750-X  port 12"             config ipv6                 set ip6-mode static                 set ip6-allowaccess https                 set ip6-address 2001:db8::1/64            end         set lacp-mode active         set lacp-ha-slave enable         set lacp-speed slow         set min-links 1         set min-links-down operational         set algorithm L4     next end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Silver
New Contributor

Hi,

Thanks for your reply. But i would to know do we need to create separate port channel for each unit or can use a single port channel for both units.

 

Thanks

Labels
Top Kudoed Authors