We have 2 Application servers that have some applications connect locally to pg-pool on the same server. 2 Postgresql Databases servers, stacking switch between AP servers to firewall and stacking switch between firewall to DB servers. When we updated the firewall firmware, we have about 1 minute downtime for fail-over process between the firewall devices. After that, the pg-pool connection to database server disconnected once and re-connected after that. But the application still timeout and disconnect. I would like to know if there is a way to update firewall firmware on 1 firewall without network disconnection? Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
With "uninterruptible-upgrade enable", there is no traffic drop expected. Are you saying, you are getting 1min downtime even with this setting?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-upgrade-procedure-and-the-sta...
I will check it now. Thank you for the suggestion!
I have uninterruptible-update enabled already. Still have about 1mins downtime. Can you give me direction for what else to check then Mr.Suraj. Thank you!
make sure you enabled session pick-up.
config system ha
set session-pickup enable
end
Currently I don't have session-pickup enable yet. I will check it now. Thank you.
Ideally the upgrade happens in below steps.
1. Upgrade of backup unit (The sessions continue to flow through the Primary unit)
2. Once backup is upgraded and rebooted, failover happens (sessions are moved to upgraded node at this time)
3. The old primary node is upgraded and sessions continue to work through upgraded node.
Are you seeing traffic issue during the setp2?
Can you make sure the sessions are synced between the nodes? Make sure "synced" flag is there on this particular session.
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-see-if-a-session-is-synced-in-HA/t...
When exactly the 1 min down time starts?
a) when the secondary reboots
b) when the original secondary takes over the primary role
c) when the original primary takes back the primary role
You probably need to have console connections to both FGTs and keep watching while the HA upgrade process progresses.
Toshi
Hi,
Is the session pickup is enabled as well?
Regards,
Shiva
Created on 04-15-2024 06:15 PM Edited on 04-15-2024 06:16 PM
It hasn't been enabled yet. I will check it and let you know. Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1717 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.