Hi, guys,
I am using Forti600E HA-pair with FortiOS v6.4.4. (Forti600E03_04 pair )
And I have configured the physical mgmt interface for HA mgmt interface; but the mgmt interface does not work after the HA mgmt int Reservation:
The configuration:
Forti600E_03 # show sys ha config system ha set group-id 17 set group-name "HA" set mode a-a set hbdev "ha" 301 "port1" 100 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "mgmt" set gateway 10.101.1.254 next end set override enable set priority 200 set ha-direct enable end
Forti600E_03 # show sys int mgmt config system interface edit "mgmt" set ip 10.101.1.40 255.255.255.0 set allowaccess ping https ssh snmp fgfm ftm set type physical set dedicated-to management set lldp-reception disable set lldp-transmission disable set role lan set snmp-index 2 set trust-ip-1 10.101.1.0 255.255.255.0 next end
Forti600E_03 # exe ping 10.101.1.40 PING 10.101.1.40 (10.101.1.40): 56 data bytes
--- 10.101.1.40 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss
Forti600E_03 #
==========================
Problems:
1. The device can not pingtest to 10.101.1.254
2. Trom outside (same subnet, 10.101.1.0 /24 ) can not pingtest to 10.101.1.40
3. The switchport connected to the mgmt interface, can not see the mac add of the mgmt interface
4. Trom the network switch, can not see any traffic from the mgmt interface.
Noted:
Without configuring the mgmt interface into "HA-mgmt-int Reservation" ( standalone device ), the mgmt interface can be pingtest.
Any advice and recommendation.
Many many thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, guys,
I found the problem, it is due to traffic routed through internet port2 ( not the right port -mgmt port) :
id=20085 trace_id=4 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.0.0.245:5888->10.101.1.40:2048) from local. type=8, code=0, id=5888, seq=3." id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5781 msg="Find an existing session, id-00004b34, original direction" id=20085 trace_id=4 func=ipd_post_route_handler line=490 msg="out port2 vwl_zone_id 0, state2 0x0, quality 0.
How I can control the routing of the mgmt interface, thx ?
Hello,
I have the same issue. Did you resolved it?
Thanks
Thanks
Kangming
Created on 12-21-2021 12:18 AM Edited on 12-21-2021 12:21 AM
Hi Kangming,
CLI #execute enter vsys_hamgmt It works for testing ping/telnet from mgmt interface that has been reserved for Management Interface Reservation. I don't know, Why this CLI didn't exist in the Fortinet KB? I asked TAC fortinet and He told me that cannot use the mgmt that has been set as Management Interface Reservation for testing ping/telnet.
When you enable "set dedicated-to management" for an interface, this interface is automatically moved to a separate, hidden vdom, called vsys_mgmt. This interface will not be possibly added in routing (you can't change or add routes) or policies. You also can't ping it from the FortiGate itself. So yes, your test results are expected.
There is nothing to configure in this vdom either (so you can't change the routing in vsys_hamgmt). The purpose of dedicated to management is for out of band management, so you can't create a traffic loop within the FortiGate.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-dedicate-an-interface-to-managemen...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.