Hello Everyone,
we have a problem with the configuration of our HA, the HA is well configured and synchronized but the problem is that the master works well, but as soon as there is a problem on the master and we switch to the slave there is no traffic passing through the slave and we lose all access to the internet until the master is restored.
a lacp conf has been set up (the master and the slave belong to the same LACP aggregate on the switch side).
Initially, when I plugged the ports, they were all UP, but the slave ports went down later after a LACP negotiation I guess.
https://docs.fortinet.com/document/fortigate/6.4.15/administration-guide/666376
Hello
I think it has something to do with the fact that HA gives the same MAC address to active and passive nodes.
Can you try create on your HPE stack two LACP groups (one for each FG) instead of a unique group?
Hello,
Thank you for your response.
How can we verify that HA gives the same MAC address to active and passive nodes ?
Yes indeed we thought about creating two LACP groups on your HPE stack (one for each FG) instead of a single group, we will set up this configuration to see if it works.
Hello
In HA, each interface is given a virtual MAC address that is owned by the active node. The MAC will migrate to the second node on fail-over.
There is a Please check this document.
https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/564710
I would make those four links at the stacked HPE switches 2 LAG/LACP links to simplify. It would be much simpler and reliable.
LACP1: "master" FGT
LACP2: "slave" FGT
Toshi
Hello,
I come back to you following the configuration that we carried out, so as suggested I created two LACPs for each fortigate but after this configuration, once we connected the secondary cables to the switch we automatically lost all access to the internet and the cables had to be removed to regain internet access
Likely you created an L2 loop. You made it like below on the HPE switches, right?
Toshi
Hello Toshi,
yes, we did exactly that
Created on 11-12-2024 11:28 AM Edited on 11-12-2024 11:31 AM
then when did you lose "everything"? Which connection did you connect at that time? The internet connection was not in your original diagram. But is it connected to the same stack of HPE switches as well?
Toshi
Hello Toshi,
sorry for the delay.
so to understand only one of the slave ports was connected to the switch in stack but once we connected the second port which goes to the switch we instantly lost internet access.
no other port on the fortigate is connected to the stacked switch.
for the internet lines the fortigate is connected to another switch on which there is the arrival of the internet line
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.