Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dkonate
New Contributor II

HA Issues

Hello Everyone,

 

we have a problem with the configuration of our HA, the HA is well configured and synchronized but the problem is that the master works well, but as soon as there is a problem on the master and we switch to the slave there is no traffic passing through the slave and we lose all access to the internet until the master is restored.

 

a lacp conf has been set up (the master and the slave belong to the same LACP aggregate on the switch side).

Initially, when I plugged the ports, they were all UP, but the slave ports went down later after a LACP negotiation I guess.

 

 

Architecture.PNG

https://docs.fortinet.com/document/fortigate/6.4.15/administration-guide/666376 

27 REPLIES 27
AEK
SuperUser
SuperUser

Hello

I think it has something to do with the fact that HA gives the same MAC address to active and passive nodes.

Can you try create on your HPE stack two LACP groups (one for each FG) instead of a unique group?

AEK
AEK
dkonate
New Contributor II

Hello,

Thank you for your response.

 

How can we verify that HA gives the same MAC address to active and passive nodes ?

 

Yes indeed we thought about creating two LACP groups on your HPE stack (one for each FG) instead of a single group, we will set up this configuration to see if it works.

AEK

Hello

In HA, each interface is given a virtual MAC address that is owned by the active node. The MAC will migrate to the second node on fail-over.

There is a Please check this document.

https://docs.fortinet.com/document/fortigate/7.2.9/administration-guide/564710

 

AEK
AEK
Toshi_Esumi
SuperUser
SuperUser

I would make those four links at the stacked HPE switches 2 LAG/LACP links to simplify. It would be much simpler and reliable.
LACP1: "master" FGT
LACP2: "slave" FGT

Toshi

dkonate
New Contributor II

Hello,

I come back to you following the configuration that we carried out, so as suggested I created two LACPs for each fortigate but after this configuration, once we connected the secondary cables to the switch we automatically lost all access to the internet and the cables had to be removed to regain internet access

 

 

Toshi_Esumi

Likely you created an L2 loop. You made it like below on the HPE switches, right?
HA-LACP.png

Toshi

dkonate
New Contributor II

Hello Toshi,

yes, we did exactly that

Toshi_Esumi

then when did you lose "everything"? Which connection did you connect at that time? The internet connection was not in your original diagram. But is it connected to the same stack of HPE switches as well?

 

Toshi

dkonate
New Contributor II

Hello Toshi,

 

sorry for the delay.

 

so to understand only one of the slave ports was connected to the switch in stack but once we connected the second port which goes to the switch we instantly lost internet access.

 

no other port on the fortigate is connected to the stacked switch.

 

for the internet lines the fortigate is connected to another switch on which there is the arrival of the internet line

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors