Hi,
i'm installing two Fortgate F61 in HA and monitoring two interfaces. They are working as expected and the monitored interfaces in standby unit are up on the switches they are connectaed to.
The thing is that i'm interested in having these two interfaces of the Standby unit in down. I know that failover will be a little slow but this is not a problem on this environment.
I have been reading CLI reference guide and there is no command to do it (https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/21620/config-system-ha).
Does anyone knows if is it possible?
Thanks.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi bpozdena_FTNT.
the "set link-failed-signal enable" moves the port down for one second.
The thing is that connected to FGs I hace two MCLAG switches connected with an aggregate of 2 ports each switch to FGs. I mean, port1 of switches to FG active and port2 of switches to FG standby, all four ports in the same MCLAG aggregate. In the FG side, one aggregate with ports A and B monitored for failover.
FG Active portA --> Sw1 port1 (MCLAG)
FG Active portB --> Sw2 port1 (MCLAG)
FG Standby portA --> Sw1 port2 (MCLAG)
FG Standby portB --> Sw2 port2 (MCLAG)
If Sw1 port1 fails, the FGs move the active unit making the standby as primary, but SW2 port1 continues sending traffic, and loosing it.
Finally I could solve the situation changing configuration in FG aggregate interface:
config system interface
edit "Link-to-SW"
set lacp-ha-slave disable --> With this command the stanby unit has the ports level 1 link up but switches ports connected to standby unit are in suspended mode even in failover I explained before.
Thanks.
Hello,
As far as I understand you would like stand alone unit just to synchronize configuration/sessions. Can you please confirm?
Yes, sync the config and ethernets in down (except HA of course).
Thanks.
Hi @albertocobo ,
I do not see any reason/benefit to keeping interfaces shutdown permanently. You can however enable a temporary interface shutdown after a Fortigate failover occurs in order to force-clear MAC address tables on adjacent switches .
config system ha
set link-failed-signal enable
end
More details at https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-link-failed-signal-and-switch... .
Hi bpozdena_FTNT.
the "set link-failed-signal enable" moves the port down for one second.
The thing is that connected to FGs I hace two MCLAG switches connected with an aggregate of 2 ports each switch to FGs. I mean, port1 of switches to FG active and port2 of switches to FG standby, all four ports in the same MCLAG aggregate. In the FG side, one aggregate with ports A and B monitored for failover.
FG Active portA --> Sw1 port1 (MCLAG)
FG Active portB --> Sw2 port1 (MCLAG)
FG Standby portA --> Sw1 port2 (MCLAG)
FG Standby portB --> Sw2 port2 (MCLAG)
If Sw1 port1 fails, the FGs move the active unit making the standby as primary, but SW2 port1 continues sending traffic, and loosing it.
Finally I could solve the situation changing configuration in FG aggregate interface:
config system interface
edit "Link-to-SW"
set lacp-ha-slave disable --> With this command the stanby unit has the ports level 1 link up but switches ports connected to standby unit are in suspended mode even in failover I explained before.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.