Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
trickyc
New Contributor II

Problems with Active-Passive HA deployment

Hi

 

I'm deploying Azure Fortigate HA Active-Passive as per this documentation:

https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Passive-ELB-ILB


with Active unit in Availabilty zone 1 and Passive unit in Availability zone 2.

I'm having problems with the Passive Firewall.If I logon, it shows no arp entries 'get system arp':

couks-FGT-B # get system arp
Address Age(min) Hardware Addr Interface

couks-FGT-B #


HA cluster is working because they both show in Sync. But on Passive, it doesn't respond to the ILB probes:

couks-FGT-B # diag sniff packet port2 'host 168.63.129.16'
Using Original Sniffing Mode
interfaces=[port2]
filters=[host 168.63.129.16]
1.459976 168.63.129.16.55536 -> 10.201.0.70.8008: syn 2968236125
3.468306 168.63.129.16.55536 -> 10.201.0.70.8008: syn 2968236125
6.455136 168.63.129.16.55613 -> 10.201.0.70.8008: syn 2490195652
7.469473 168.63.129.16.55613 -> 10.201.0.70.8008: syn 2490195652
^C
4 packets received by filter
0 packets dropped by kernel

 

and doesn't appear to receive any probes from the ELB:

couks-FGT-B # diag sniff packet port1 'host 168.63.129.16'
Using Original Sniffing Mode
interfaces=[port1]
filters=[host 168.63.129.16]
^C
0 packets received by filter
0 packets dropped by kernel

couks-FGT-B #


I can understand that the Passive unit may not respond to ILB probes because it's routing table wont be active (Passive unit) but I don't understand why unit shows no arp entries or why the ELB is not probing. Does the fact the Passive unit is in a different availability zone make a difference. 

 

1 Solution
trickyc

Hi

 

Just to say that ILB health probes were working, as posted previously. It was ELB health probes that I wasn't seeing.

However, I have managed to resolve this problem. Basically, my secondary FGT was associated with a resource group that no longer existed! Somewhere else, someone had decided to replace the resource group  from  <RG-NAME> to <rg-name>. Basically the same rg name but without capitilization. I hadn't noticed because the rg name was the same and my FGT was still associated to the old rg name. Somehow, it didn't impact rx the ILB probing but screwed up rx the ELB probing.

Once I had moved the secondary to the correct rg, it started working. 

View solution in original post

5 REPLIES 5
msolanki
Staff
Staff

Please refer KB and check fortigate LB probe config are up to mark ?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VM-probe-on-Azure-load-balancer/...

trickyc
New Contributor II

Hi

 

yes I have checked all that out and that is all good. But two interesting things:

1/ I don't see any health probes come into the 'passive' fortigate from the ELB, only the from the ILB.

2/ When I make the 2nd fortigate 'active' , it still doesn't see any probes from the ELB but I see weird behaviour from the firewall..it tries to initiate a connection from its external interface to the load balancer ip address:

1.965534 10.201.0.5.23233 -> 168.63.129.16.80: syn 2935750225
5.975524 10.201.0.5.23233 -> 168.63.129.16.80: syn 2935750225
8.969814 10.201.0.5.23249 -> 168.63.129.16.80: syn 2896669561
9.965534 10.201.0.5.23249 -> 168.63.129.16.80: syn 2896669561
9.989102 168.63.129.16.80 -> 10.201.0.5.23228: rst 222723313

 

doesn't make sense. The load-balancer is only used as a source for ELB and ILB health probes. Why would the fortigate be trying to initiate its own connection?

trickyc
New Contributor II

I came acrooss this:

Technical Tip: FortiGate Azure showing 'virtual ma... - Fortinet Community

 

whichexplains why my passive firewall is showing VM agent not ready and explains the traffic going to 168.63.129.16.80 as described in my last update. But it never gets a reply. 

 

Christian_89
Contributor III

The fact that the Passive unit is in a different availability zone should not cause the issues you are experiencing with ARP entries and ELB probing. In an Azure FortiGate HA Active-Passive deployment, the Passive unit should still respond to ARP requests and receive probes from the ILB.

Regarding the missing ARP entries on the Passive unit, it could indicate a configuration or network issue. Here are a few troubleshooting steps you can take:

1. Ensure that the network interfaces of both the Active and Passive units are properly configured and connected. Check the network settings, subnet, and IP addresses assigned to each interface.

2. Verify that the VNet peering or VPN connection between the two availability zones is functioning correctly. The Passive unit should be able to communicate with the Active unit over the network.

3. Double-check the configuration of the HA settings on both units, including the heartbeat interface, HA virtual MAC address, and cluster ID. Make sure they match the requirements specified in the documentation you mentioned.

4. Check the routing configuration on both units. The Passive unit should have a default route pointing to the Active unit's IP address for outbound traffic.

5. Review the FortiGate logs and event logs on the Azure portal for any relevant error messages or warnings that could provide more insight into the issue.

Regarding the ELB probing, it's possible that the Passive unit is not responding because of an issue with the ILB configuration or network connectivity. Here are some steps to troubleshoot this:

1. Verify that the ILB is correctly configured and associated with the FortiGate HA cluster. Double-check the ILB settings, backend pool configuration, and health probes.

2. Ensure that the ILB is configured to send probes to the correct IP address and port of the FortiGate cluster.

3. Check the network security group (NSG) rules associated with the FortiGate instances. Make sure that the necessary ports for ILB probing are allowed.

4. Review the ILB logs or diagnostic information in the Azure portal to see if there are any errors or failures related to the ILB probes.

5. If possible, try temporarily switching the Active and Passive units to see if the issue persists. This can help determine if the problem is specific to the Passive unit or related to the ILB configuration.

If the issue persists after following these steps, you may need to consult with Fortinet support or Azure support for further assistance. They can help you troubleshoot the specific configuration and network setup in your environment.

trickyc

Hi

 

Just to say that ILB health probes were working, as posted previously. It was ELB health probes that I wasn't seeing.

However, I have managed to resolve this problem. Basically, my secondary FGT was associated with a resource group that no longer existed! Somewhere else, someone had decided to replace the resource group  from  <RG-NAME> to <rg-name>. Basically the same rg name but without capitilization. I hadn't noticed because the rg name was the same and my FGT was still associated to the old rg name. Somehow, it didn't impact rx the ILB probing but screwed up rx the ELB probing.

Once I had moved the secondary to the correct rg, it started working. 

Labels
Top Kudoed Authors