Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albertocobo
New Contributor II

HA standby unit ports down

Hi,

i'm installing two Fortgate F61 in HA and monitoring two interfaces. They are working as expected and the monitored interfaces in standby unit are up on the switches they are connectaed to.

 

The thing is that i'm interested in having these two interfaces of the Standby unit in down. I know that failover will be a little slow but this is not a problem on this environment.

 

I have been reading CLI reference guide and there is no command to do it (https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/21620/config-system-ha).

 

Does anyone knows if is it possible?

 

Thanks.

1 Solution
albertocobo

Hi bpozdena_FTNT.

 

the "set link-failed-signal enable" moves the port down for one second. 

 

The thing is that connected to FGs I hace two MCLAG switches connected with an aggregate of 2 ports each switch to FGs. I mean, port1 of switches to FG active and port2 of switches to FG standby, all four ports in the same MCLAG aggregate. In the FG side,  one aggregate with ports A and B monitored for failover.

 

FG Active portA --> Sw1 port1 (MCLAG)

FG Active  portB  --> Sw2 port1 (MCLAG)

FG Standby portA --> Sw1 port2 (MCLAG)

FG Standby portB --> Sw2 port2 (MCLAG)

 

If Sw1 port1 fails, the FGs move the active unit making the standby as primary, but SW2 port1 continues sending traffic, and loosing it.

Finally I could solve the situation changing configuration in FG aggregate interface:

 

config system interface
edit "Link-to-SW"
set lacp-ha-slave disable  -->  With this command the stanby unit has the ports level 1 link up but switches ports connected to standby unit are in suspended mode even in failover I explained before.

 

Thanks.

 

View solution in original post

4 REPLIES 4
abarushka
Staff
Staff

Hello,

 

As far as I understand you would like stand alone unit just to synchronize configuration/sessions. Can you please confirm?

FortiGate
albertocobo

Yes, sync the config and ethernets in down (except HA of course).

 

Thanks.

bpozdena_FTNT

Hi @albertocobo ,

 

I do not see any reason/benefit to keeping interfaces shutdown permanently.  You can however enable a temporary interface shutdown after a Fortigate failover occurs in order to force-clear MAC address tables on adjacent switches .

 

config system ha
    set link-failed-signal enable
end

 

More details at  https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-link-failed-signal-and-switch... .

HTH,
Boris
albertocobo

Hi bpozdena_FTNT.

 

the "set link-failed-signal enable" moves the port down for one second. 

 

The thing is that connected to FGs I hace two MCLAG switches connected with an aggregate of 2 ports each switch to FGs. I mean, port1 of switches to FG active and port2 of switches to FG standby, all four ports in the same MCLAG aggregate. In the FG side,  one aggregate with ports A and B monitored for failover.

 

FG Active portA --> Sw1 port1 (MCLAG)

FG Active  portB  --> Sw2 port1 (MCLAG)

FG Standby portA --> Sw1 port2 (MCLAG)

FG Standby portB --> Sw2 port2 (MCLAG)

 

If Sw1 port1 fails, the FGs move the active unit making the standby as primary, but SW2 port1 continues sending traffic, and loosing it.

Finally I could solve the situation changing configuration in FG aggregate interface:

 

config system interface
edit "Link-to-SW"
set lacp-ha-slave disable  -->  With this command the stanby unit has the ports level 1 link up but switches ports connected to standby unit are in suspended mode even in failover I explained before.

 

Thanks.

 

Labels
Top Kudoed Authors