- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Static Routes not replicating over HA
I have a fortigate cluster on 7.4.2 which is being managed by a Fortimanager. I have noticed that whenever i create a static route it only gets copied to Primay Member and the secondary routing table doesnt change. Is it expected behavior ? do i have to separately create routes in Standby Member with its own next hop ??
The same behavior i noticed in the GRE tunnel configuration.. everytime the unit fails over i have to change the local-gw IP to make the tunnel active from the switch over member.
Any assistance is appreaciated..
Thanks
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With a-p HA FTGs, the FMG can save/change config on the primary device only. When you push a new static route from the FMG, it's pushed to the primary device then as long as they're in sync the same static route should be copied to the secondary based on HA config sync between those devices. Not from the FMG.
When you get in the secondary FGT through console or "exe ha manage [0 or 1] <username>" from the primary, you can see the static route is copied in "config router static" then "show". However, since all interfaces to outside on the secondary FGT are down, you wouldn't be able to see the actual route in "get router info routing-t [all or static]".
You don't see the static route you added in the secondary FGT?
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply..to add more clarity ..the cluster is hosted on AWS with primary member in AZ1 and secondary in AZ2.. the next hop for subnets of both Firewalls is different.
so when i added 10 routes in Primary with next hop 192.168.1.7 (subnet 192.168.1.0/27) they werent reflected in Secondary Member with next hop 192.168.1.39 (subnet 192.168.1.32/27).
When i failed over the devices manually my network went down and i had to manually add all 10 routes on the new Primary member with next hop 192.168.1.39..only then the network connectivity restored and everything started working..
i even checked in the config router static ..then show on the members but the routes werent reflecting..i had to manually add them to get it working
I had also checked get sys ha status and the HA status seems OK and no errors were observed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Did you notice an alarm showing that the cluster is not synchronized?
- The route you added is it on management interface? Did you enable Management Interface Reservation in HA config?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is no alarm in cluster showing it as non sync
routes are added towards internal interface.
coz of different subnets the Firewall members have different next hops for each interface..so how will route replication work ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All routing configuration, including static routes, are replicated to the secondary node, except (I suppose) the routes related to management interface when it is "HA Reserved".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok ..this is really strange in that case then..cause there are no errors in HA Sync..policy is getting synced but not routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share the output:
show router static
Show only the affected routes please.