- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Having issues setting a new pair of 200D
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having issues setting a new pair of 200D
Hi
Very strange issue that kept us all day on it with no fix so far.
A few months ago, we had a couple of Checkpoint firewalls which were due to be replaced with 2 x 200D.
The 2 200D were setup in HA, we assigned them with one of our spare external IP address, plug them onto the external routers, and everything worked. We were able to migrate all the VPN tunnels from the Checkpoint to Fortigate, and then at some stage to remove the Checkpoint firewalls.
Now, we are trying to configure 2 new 200D to be sent to another office. Again, we configured then in HA and assigned them with an available external IP address and plugged to the external routers, but we cannot seem to make them connect to the internet properly. from the CLI, we can hardly ping 8.8.8.8 for example, but some time it works with usually at least 60% packet lost. Trace show that it goes a few hops after the first ISP router, but it gets in trouble after. Not always at the same hop.
We setup traffic from lan to internet rules, but whilst the logs in the Fortigate shows that it is OK, nothing work.
Looks like a networking issue, but cannot figure out what it could be.
Could it be an issue to have 2 sets of Fortigate on the same switch, with the same mask? It did not see to be a problem with Checkpoint + Fortigate, but perhaps it is with 2 Fortigate?
Unless, someone else has an idea?
Also, does the MGNT port needs to be connected to the internet? For this new office, there are no specific Vlan for Management.
We thought we would just connect a laptop with 192.168.1.1 to configure it, and leave it empty, once the firewalls are shipped to the remote office, but we wonder if it is also one reason it cannot connect to the internet (to get the licences for example).
Tried to setup the MGNT port with an IP address from the LAN port subnet, but it was not allowed.
All this is very confusing. Any ideas would be greatly welcome!
Cheers
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably a stupid question but... the new cluster is not connected to the same network where the other cluster is installed, is that correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In HA mode, both cluster members use the same, virtual MAC address (L2) per port. This accelerates connectivity with external switches in case of failover.
From the 6 bytes of that MAC, the first 3 signify Fortinet as the vendor (FTNT has several combos in use now). The 5th byte is the HA group ID in hex. The HA group-ID is a CLI-only parameter in 'conf system ha'. You should always change it from the default '0' to some cluster-specific ID.
The last byte is port-specific. I think byte 4 is '00' always but I'm not sure about this.
What happens with 2 clusters with the same group-ID on the same LAN is that packets are redirected randomly between those clusters. If, by chance, the group-name is identical as well you would have noticed that the cluster was expanded to 4 members :)
All this is assuming that you haven't set the HA password (which is often left at default).
edit: A situation where this becomes important is when you host a FGT cluster in a (external) datacenter - you can never tell if there was another FGT cluster online with the same default group-ID 0.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly the reason of my question :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Alby23:
I know.
Thought there is a difference between answering a question with a question and providing an explanation and background info so that OP can decide right away what to do 
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I prefer not to flood someone with not-necessary info; if the situation is not in the perimeter, the explanation could generate more confusion.
But, as you've said, is a matter of choice
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for your input.
The new set is set with its one LAN switch, separate from our live LAN.
It is only the WAN interfaces that is plugged to the same external switch with our live routers and existing Live Fortigate.
In effect, we are trying to 'reproduce' the remote office configuration except for the WAN interface, and when everything is setup and tested, we will change the WAN and routing settings to match the remote office, before shipping.
We will check the HA Group-ID and report. It is probably the answer, as there was no issues when we had the Live Fortigate pair before with the Checkpoint firewalls plugged on the same WAN switch
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede
I checked the config file on both sets.
I could not find the group-id for the HA.
I can confirm that both set have a different group=name, and also the password has been define for both.
Here is the config for the new remote office:
config system ha
set group-name "melfwcluster"
set mode a-p
set password ENC 0Rhq+724FynXvAKlRMbf2o5TfHP1zM6s1zMFOUtb8xerGd2K85MLv2WmnzdilYBI240oAtLdfCWGTTBrUm/ljaKKndpksIbcAH7jOyEvTHu/rlCi7v3lnYDb+bE/sJoxiC8a2s2atvi466yF2DqAschYZsv0pEanKIDgTmQwqzOmEDezCB/zw5cHGXHZghUXas59pA==
set hbdev "port15" 50 "port16" 50
set ha-mgmt-status enable
set ha-mgmt-interface "mgmt"
set override enable
set priority 250
set monitor "port1" "port14" "wan1"
end
And for the live set:
config system ha
set group-name "fwcluster"
set mode a-p
set password ENC qDhf297UfVlQJJtdRlJriKep89Iiy/ey7Xgc4cyEwpr9e/rc7bY+yqNiDd5FcURtW6YaITwAuPO+8JfD5uIcZeVsXqZ5Hg0pHqFban2Sj1pZ0OwHkdSPU1O1iT+lwNx9ueCTOB2tg+1ExuuD2x64Nq1z9He/qGWZpNQo4qmnSDzcpTLzn/QtSaFLom7Sgvwa3zuAaw==
set hbdev "port15" 50 "port16" 50
set session-pickup enable
set ha-mgmt-status enable
set ha-mgmt-interface "mgmt"
set override enable
set priority 250
set monitor "port1" "port2" "port14" "wan1"
end
As mentioned in my previous post, the 2 sets for firewalls are not at all connected on the same lan, only on the WAN switch (as we want to fully configure and test before shipment. We will replace the external IP of the WAN interface and the default route before shipping).
One thing, we can try is to disable HA to see if it is the problem. If it is not, we might do a factory reset and start again from scratch, this time testing with one member as standalone at a time. If that works, we can then setup HA
Before doing this, I will wait for your feedback, as you may be able to point us to the correct settings
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it and fixed it. It works now!
The group-id was not there (which is what you said about been defaulted!), so added the following command: set group-id 25
and then every started to work fine.
Thanks you so much for your help.
This Forum is such a great place to get advise!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good catch
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Related Posts
- VIP Port Forwarding Settings for Mapping... 100 Views
- Dual WAN remote access IPSec VPN... 94 Views
- Windows IKEv2 native VPN with user... 76 Views
- Is there a way to exempt... 94 Views
- Webfilter license won't work despite having... 189 Views
Labels
-
FortiGate
6,764 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
33 -
SD-WAN
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiAuthenticator
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
FortiSOAR
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.