Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmekler
New Contributor III

Created on ‎04-16-2014 10:40 PM

HA on FortiGate-VM under Hyper-V

I' m trying to deploy an HA pair of FortiGate-VM appliances under Hyper-V. Standalone they work fine, but as soon as I change HA mode to a-p or a-a, they lose network connectivity on everything except the cluster management port(s), and the cluster never forms. Changing HA mode back to standalone instantly restores connectivity. MAC addresses don' t appear to change, ARP works, but intermittently. I tried all kinds of virtual switches and vNIC settings, but nothing seems to help. I' ve reproduced the issue using build 5.0.6 on Windows Server 2012, and 5.0.7 on Windows 8.1, different host hardware as well. Am I missing some setting that must be configured to make it work?
5115
0 Kudos
22 REPLIES 22
veechee
New Contributor

Created on ‎04-17-2014 05:13 PM

I don' t have a solution to your problem, rather another question. One of the appealing aspects of a virtual FGT appliance to me was that I could put it onto clustered hardware, and then not have to worry about clustering the FGTs. I am just curious if you are using clustered hardware underneath the hypervisor?
2385
0 Kudos
amg7
New Contributor

Created on ‎03-20-2024 04:28 AM

Hello,

The same thing is happening to me, did you find the solution?

Thanks

1917
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 05:16 AM

Hello @amg7 ,

 

If you want to use HA on Hyper-V you need to do additional configuration. 

 

You can review this document about Configuring HA on Hyper-V.

 

https://docs.fortinet.com/document/fortigate-private-cloud/7.4.0/microsoft-hyper-v-administration-gu...

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1909
amg7
New Contributor

Created on ‎03-20-2024 05:34 AM Edited on ‎03-20-2024 05:34 AM

Hello @ozkanaltas 

 

Do the unicast settings need to be configured? 

config system ha

set unicast-hb {enable/disable}

set unicast-hb-peerip {Peer heartbeat interface IP address}

end

 

is there an additional option for these settings in hyperV?

 

Thanks

1906
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 05:38 AM

Hello @amg7 ,

 

It's up to your choice. If you want to use unicast, you need to enter these commands. However, if you want to use anycast, the "Mac address spoofing" setting must be supported and turned on in the interfaces on Hyper-V.

 

For FortiGate-VMs to support a broadcast HA heartbeat configuration, you must configure the virtual switches that connect heartbeat interfaces to support MAC address spoofing.

In addition, you must configure the VM platform to allow MAC address spoofing for the FortiGate-VM data interfaces. This is required because in broadcast mode, the FGCP applies virtual MAC addresses to FortiGate data interfaces, and these virtual MAC addresses mean that matching interfaces of the FortiGate-VM instances in the cluster have the same virtual MAC addresses.

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1904
amg7
New Contributor

Created on ‎03-20-2024 06:15 AM

Hello @ozkanaltas 

 

I configured MAC address spoofing on all the Hyper-V interfaces but it is very strange I have GUI access to the secondary forti but not to the primary, the HA cluster is not established, it is as if they do not see each other. Can you think of anything?

 

Thanks

Regards

 

1891
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 08:05 AM

Hello @amg7 ,

 

Are your HA heartbeat interfaces in the same network, right?

 

Also, you can try with unicast mode.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1877
amg7
New Contributor
In response to ozkanaltas

Created on ‎03-20-2024 08:09 AM

Yes, and I ping from one to the other. I have tried unicast and the same thing happens. I don't know what else to try

1875
0 Kudos
ozkanaltas
Valued Contributor III
In response to amg7

Created on ‎03-20-2024 08:15 AM

Normally you should not configure anything to this interface. 

 

Did you do this just for testing?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1869
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.