Hi everybody.
I'm setting up a new Fortigate HA cluster (300D) and i have a strange issue. Each time i have to reboot a node of the cluster, he came back as a standalone Fortigate.
Any idea how i can resolve that ? This is pretty annoying.
Here is the HA configuration.
config system ha
set group-name "Toto"
set mode a-p
set password ENC toto
set hbdev "mgmt1" 50 "mgmt2" 50
set session-pickup enable
set ha-mgmt-status enable
set ha-mgmt-interface "Management" <= this is actually a vlan interface
set ha-mgmt-interface-gateway x.x.x
set override disable
end
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Can you try to unset this
set ha-mgmt-interface "Management" <= this is actually a vlan interface
and dont use vlan interface just a physical
Could you please clarify: the FGT is a master in HA after reboot, or standalone i.e. not in HA mode?
If it is a master, then I'd try to use different ports for the HA heartbeat. The management ports have restrictions.
After reboot the FGT is in standalone mode.
If the master (or the slave) is rebooted, he lost the HA configuration and is shown as a FGT working in standalone mode when i connect to it using serial.
The Management interface (vlan) also disappear after the reboot. Everythings else seems to remains.
ede_pfau wrote:If it is a master, then I'd try to use different ports for the HA heartbeat. The management ports have restrictions.
Hi,
Sorry for this question out of topic, but could you please explain which are these restrictions? For me, the only difference is these ports are not attached to NPX asic..
Lucas
Do you have PPPoE or DHCP enabled on any port?
@hklb:
the mgmt ports do not route - i.e. there are no routes established (automatically) in the routing table for their addresses, like with other ports. This way, you can assign an address in an address range which is already in use by another port - the only exception in a routing FGT.
The main advantage of this is that you can assign separate addresses to each HA cluster member to be able to manage it via WebGUI or ssh.
If any port uses DHCP or PPPoE he wouldn't be able to change from 'standalone' into 'HA' mode to start with.
@OP:
I'd say there's something gone bad. Could you
- save your config
- have the current firmware image handy
- reboot and stop the boot by hitting any key
- reformat the flash drive
- reload the firmware via TFTP
- reload the config via TFTP or WebGUI
When connecting the units, disable all port monitoring first. Only after having the cluster up (even after reboots) re-enable monitoring.
claumakurumure wrote:Do you have PPPoE or DHCP enabled on any port?
No i don't have DHCP or PPPoE activated on any port.
I would raise a support ticket with Fortinet to be sure that It Will be fixed in the next release.
To "patch" the issue in your environment, I would backup the config for each member, put It on usb sticks and renaming it on all sticks "fgt_system.conf" then have it plugged on each member (be sure to check the ha part).
That way, when your fortigates are rebooting, they load the config file from the usb stick.
Let me know if that xorks for you.
Regards,
Also :
@ede_pfau Starting 5.2, FortiOS supports PPPoE & DHCP interfaces in HA!I already open a support ticket with Fortinet.
With your solution, I guess i will have to make a new backup with each new modification of the firewall configuration (Like new policy rule) ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.