Hello
We have internet stability issue with below setup same as attached:
- 2x FG200 in HA a/a mode connected directly to 2X routers on same ISP
- 2X PTP private subnets primary and secondary on X1 ( WAN ports )
- 2X default routes towards the 2x gateway sides
- DNAT one to one for internal servers
- Source overload NAT for servers to reach the internet
The issue is internet and reachability flaps on internal servers when the slave unit is up.
I tried to set high preference on primary default routes and routing table is ok !!
The objective is have load balance on both WAN, so any advice on the proper setup from FG side or ISP side, I don't want to put sw in between.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
zaidhashem wrote:so any advice on the proper setup from FG side or ISP side, I don't want to put sw in between.
Well, you've contradicted yourself here. The proper setup IS to put a switch in between. For HA to work the logical and physical connectivity must be identical on all sides of both firewalls. Otherwise you might as well make them standalone with routing protocols between them to handle the load sharing.
Adding switch is single point of failure so we need extra 2 switches.
As per my checking the issue is related to the route back from 2nd router get dropped at the 2nd FG unit, so to solve this the ISP should configure HSRP from their side with cross connections FG to Routers to have reachability between all nodes.
Or connect the cluster to one router only.
I think this two setups are much easy to go with.
After dropping how many thousands on hardware you don't want to spend $40 to go with a supported, by the book, configuration?
https://www.amazon.com/dp/B07PJ7XZ7X/ref=emc_b_5_t
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/357558/ha-active-active-cluster-setup
You would get more throughput making them standalone firewalls with a dynamic routing topology anyway though, as active-active doesn't give much more performance than active-passive in most circumstances. HA just gives you hitless failover, which it sounds like isn't very important to you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.