How to keep the connections when perform firmware update? 2 Fortinet 100e firewall with HA

Hieuvm · ‎04-15-2024

We have 2 Application servers that have some applications connect locally to pg-pool on the same server. 2 Postgresql Databases servers, stacking switch between AP servers to firewall and stacking switch between firewall to DB servers. When we updated the firewall firmware, we have about 1 minute downtime for fail-over process between the firewall devices. After that, the pg-pool connection to database server disconnected once and re-connected after that. But the application still timeout and disconnect. I would like to know if there is a way to update firewall firmware on 1 firewall without network disconnection? Thank you!

srajeswaran · ‎04-15-2024

With "uninterruptible-upgrade enable", there is no traffic drop expected. Are you saying, you are getting 1min downtime even with this setting?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-upgrade-procedure-and-the-sta...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Hieuvm · ‎04-15-2024

I will check it now. Thank you for the suggestion!

Hieuvm · ‎04-15-2024

I have uninterruptible-update enabled already. Still have about 1mins downtime. Can you give me direction for what else to check then Mr.Suraj. Thank you!

AEK · ‎04-15-2024

make sure you enabled session pick-up.

config system ha
    set session-pickup enable
end

AEK

Hieuvm · ‎04-15-2024

Currently I don't have session-pickup enable yet. I will check it now. Thank you.

srajeswaran · ‎04-15-2024

Ideally the upgrade happens in below steps.

1. Upgrade of backup unit (The sessions continue to flow through the Primary unit)

2. Once backup is upgraded and rebooted, failover happens (sessions are moved to upgraded node at this time)

3. The old primary node is upgraded and sessions continue to work through upgraded node.

Are you seeing traffic issue during the setp2?

Can you make sure the sessions are synced between the nodes? Make sure "synced" flag is there on this particular session.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-see-if-a-session-is-synced-in-HA/t...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Toshi_Esumi · ‎04-15-2024

When exactly the 1 min down time starts?
a) when the secondary reboots
b) when the original secondary takes over the primary role
c) when the original primary takes back the primary role
You probably need to have console connections to both FGTs and keep watching while the HA upgrade process progresses.

Toshi

smaruvala · ‎04-15-2024

Hi,

Is the session pickup is enabled as well?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-session-failover-session-pickup/ta-p/19...

Regards,

Shiva

Hieuvm · ‎04-15-2024

It hasn't been enabled yet. I will check it and let you know. Thank you!

How to keep the connections when perform firmware update? 2 Fortinet 100e firewall with HA

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website