Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Regression with 7.4.7 over 7.4.3 on Fortigate FGT8...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regression with 7.4.7 over 7.4.3 on Fortigate FGT80F - LDAP no longer works on secondary units
Hello!
We just upgraded our FGT80F firewalls from 7.4.3 to 7.4.7 and LDAP no longer works on the secondary units, it only works on the primary units when trying to log on. We have to use the emergency local account if we want to log in the secondary unit.
We have two active passive clusters, and we have the same issue on both clusters, the secondary can only be accessed with the local account.
My teammate found this article, maybe we are hitting this : https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-local-out-traffic-blocked-by-HA-debu...
But in all cases, I think we should be able to log in using LDAP in the secondary if we need to.
Any ideas to troubleshoot this?
At first sight, we get "local-out traffic, blocked by HA" when trying to do Packet Trace.
Hoping everything is clear, if there's anything, please ask!
Thanks!
Konnan
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe this, https://community.fortinet.com/t5/FortiGate/Technical-Tip-LDAPS-connections-no-longer-work-after-upd... ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried it, without success. Thanks for the tip anyway!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks funkylicious! I'll have a look and report back.
What's really curious is that it's working well on both primaries units. I'll double check.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Konnan ,
If you are using regular LDAP, not LDAPS, you may not have the same issue as the one in that KB.
Please share your HA settings.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @dingjerry_FTNT I tried to share HA settings here with get sys ha stat, maybe my post was lost for some reason. Which settings do you want to look at?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Konnan ,
I wanna see whether you have the HA management interface and/or "ha-direct" setting configured or not.
Regards,
Jerry
Jerry
Created on 02-04-2025 06:41 AM Edited on 02-04-2025 06:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @dingjerry_FTNT
By the way, forgot to say in my last post that you were right, I'm not in LDAPS, I'm in LDAP with STARTTLS.
As requested, if you need anything else, don't hesitate to ask.
XYZ-ABCD-EF-2 # show system ha
config system ha
set group-name "XYZ-ABCD-EF"
set mode a-p
set password ENC (***redacted***)
set hbdev "a" 50 "b" 50
set route-ttl 30
set session-pickup enable
set session-pickup-delay enable
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "internalx"
set gateway xx.x.xxx.x
next
end
set override disable
set priority 64
end
XYZ-ABCD-EF-2 #
Thanks!
Konnan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Konnan ,
You do have the HA management interface configured, but no "ha-direct" setting enabled.
Please try the following:
config sys ha
set ha-direct enable
end
Then reproduce it to see whether it will fix this issue or not.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Konnan , forgot to mention, once you enable the "ha-direct" setting, please enter into the secondary device to make sure that the setting is there.
Regards,
Jerry
Jerry
Labels
-
FortiGate
9,448 -
FortiClient
1,918 -
5.2
801 -
FortiManager
799 -
5.4
639 -
FortiAnalyzer
618 -
FortiSwitch
515 -
FortiAP
507 -
FortiClient EMS
474 -
6.0
416 -
5.6
362 -
FortiMail
340 -
SSL-VPN
305 -
IPsec
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiNAC
226 -
FortiWeb
226 -
5.0
196 -
FortiGuard
151 -
SD-WAN
145 -
FortiAuthenticator
135 -
6.4
128 -
Firewall policy
108 -
FortiGateCloud
105 -
FortiSIEM
103 -
FortiCloud Products
102 -
FortiToken
96 -
Wireless Controller
86 -
Customer Service
82 -
FortiProxy
72 -
High Availability
68 -
4.0MR3
64 -
Fortivoice
61 -
FortiEDR
61 -
ZTNA
60 -
Routing
59 -
FortiADC
57 -
VLAN
57 -
DNS
56 -
BGP
54 -
FortiGate-VM
53 -
SAML
50 -
Authentication
50 -
RADIUS
49 -
FortiSandbox
48 -
LDAP
48 -
NAT
47 -
FortiExtender
46 -
Certificate
46 -
FortiDNS
43 -
SSO
43 -
FortiGate v5.4
35 -
VDOM
35 -
FortiLink
35 -
FortiSwitch v6.4
34 -
Application control
34 -
Interface
33 -
FortiConnect
32 -
Logging
32 -
FortiWAN
30 -
Virtual IP
29 -
Web profile
29 -
FortiGate v5.2
26 -
FortiConverter
26 -
FortiPAM
26 -
FortiPortal
23 -
SSL SSH inspection
23 -
FortiGate Cloud
21 -
Traffic shaping
21 -
Automation
21 -
Static route
21 -
FortiSwitch v6.2
20 -
SSID
20 -
SNMP
19 -
FortiMonitor
18 -
WAN optimization
18 -
OSPF
16 -
System settings
16 -
FortiDDoS
15 -
Security profile
15 -
Web application firewall profile
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
API
14 -
Admin
14 -
IP address management - IPAM
14 -
IPS signature
13 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiManager v4.0
11 -
FortiRecorder
11 -
Traffic shaping policy
11 -
FortiAP profile
11 -
Web rating
11 -
Intrusion prevention
11 -
FortiBridge
10 -
Explicit proxy
10 -
Fabric connector
10 -
Port policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiAnalyzer v5.0
9 -
FortiWeb v5.0
9 -
DNS filter
9 -
Users
9 -
Traffic shaping profile
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
trunk
8 -
Antivirus profile
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiToken Cloud
6 -
Packet capture
6 -
Authentication rule and scheme
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
DLP profile
5 -
DoS policy
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
VoIP profile
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
File filter
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2094 | |
| 1182 | |
| 770 | |
| 451 | |
| 344 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.