Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmekler
New Contributor III

Created on ‎04-16-2014 10:40 PM

HA on FortiGate-VM under Hyper-V

I' m trying to deploy an HA pair of FortiGate-VM appliances under Hyper-V. Standalone they work fine, but as soon as I change HA mode to a-p or a-a, they lose network connectivity on everything except the cluster management port(s), and the cluster never forms. Changing HA mode back to standalone instantly restores connectivity. MAC addresses don' t appear to change, ARP works, but intermittently. I tried all kinds of virtual switches and vNIC settings, but nothing seems to help. I' ve reproduced the issue using build 5.0.6 on Windows Server 2012, and 5.0.7 on Windows 8.1, different host hardware as well. Am I missing some setting that must be configured to make it work?
5110
0 Kudos
22 REPLIES 22
amg7
New Contributor

Created on ‎03-20-2024 08:18 AM

So I leave the HA interface configured with 0.0.0.0.0/0.0.0.0.0?

1273
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 08:22 AM

If you use broadcast, you are right. You should leave 0.0.0.0.0/0.0.0.0.0. 

 

And also you can review these documents about troubleshooting HA. 

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-synchronizati...

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Note-FortiGate-HA-synchronization-messag...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1271
0 Kudos
amg7
New Contributor

Created on ‎03-20-2024 08:30 AM

When I set up HA on the primary I have GUI connectivity to the primary and when I then set up HA on the secondary I lose GUI connectivity to the primary. They never synchronise....

Thank you for your help but I think this is impossible....

1269
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 08:35 AM

Hello @amg7 ,

 

it is not impossible. I have used this before and it worked properly. 

 

My advice is, if you have a contract you can create a case. Fortinet engineers inspect the problem deeply and will solve the problem.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1266
0 Kudos
amg7
New Contributor

Created on ‎03-20-2024 08:42 AM

Yes I did that too, they checked the configuration of my fortigate and in principle it was correct, they tell me it could be a HyperV problem, the only solution they gave me is to configure everything again.

1264
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 08:56 AM Edited on ‎03-20-2024 08:58 AM

Btw, i found one more document about ha troubleshooting. 

 

Can you try to collect output with these commands? With these output results, we can see whether there is a problem with Hyper-V or not. 

 

 

Collect heartbeat packet captures during the 'heartbeat packet loss' issue from both the primary and secondary units, then use them to verify whether the heartbeat packets sent from the primary are received on the secondary and vice versa.

Packet capture commands:
 

HA Master:

 

diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1
2023-06-05 16:52:15.630003 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.698791 ha1 in Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.740012 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.798792 ha1 in Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.840003 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.

 

HA slave:

 

diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1
23-06-05 16:52:15.822283 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.863515 ha1 in Ether type 0x8890 printer hasn't been added to sniffer.
2023-06-05 16:52:15.932283 ha1 out Ether type 0x8890 printer hasn't been added to sniffer.

 

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-HA-Heartbeat-pac...

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1258
0 Kudos
amg7
New Contributor
In response to ozkanaltas

Created on ‎03-21-2024 02:22 AM 

Port3 out Ether type 0x8890 printer hasn't been added to sniffer
Port3 in Ether type 0x8890 printer hasn't been added to sniffer

I get that all the time

 

 

1211
0 Kudos
amg7
New Contributor

Created on ‎03-21-2024 01:28 AM

Can I follow this?

 

https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/microsoft-hyper-v-administration-gu...

 

Here if you configure IP on the HA-sync interface.

1222
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-21-2024 01:30 AM

If you use the Live migration feature on Hyper-V. You need to do these steps also.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1219
0 Kudos
amg7
New Contributor

Created on ‎03-21-2024 02:07 AM

I cannot launch this test

diag sniffer packet any 'ether proto 0x8890' 4 0 l | grep ha1

Will not allow me to type ' or paste into HyperV console

1213
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.