Unable to get HA working on FortiAuthenticator VM

SurfnProtect · ‎06-05-2020

Hi there,

For some reason I'm unable to get HA cluster (HIGH/LOW) running, it cannot see it's peer. Just after I installed the license it worked for an hour and then it didn't any more.

Here's my config:

> show system ha config system ha set mode enable set interface port2 set priority low set hb-interval 10 set hb-lost-threshold 6 set mgmt-ip 10.22.61.2/255.255.255.0 set mgmt-access SSH HTTPS GUI set role cluster_mem

And the slony logs from HA

020-06-05T10:24:47.710904-04:00 scn00419 slon[3469]: [1-1] 2020-06-05 10:24:47 BOT ERROR cannot get sl_local_node_id - ERROR: relation "_fac_ha.sl_local_node_id" does not exist 2020-06-05T10:24:47.710931-04:00 scn00419 slon[3469]: [1-2] LINE 1: select last_value::int4 from "_fac_ha".sl_local_node_id 2020-06-05T10:24:47.710935-04:00 scn00419 slon[3469]: [1-3] ^ 2020-06-05T10:24:47.710938-04:00 scn00419 slon[3469]: [2-1] 2020-06-05 10:24:47 BOT FATAL main: Node is not initialized properly - sleep 10s

Strange thing is in vSphere when I list my IP addresses:

[ul]

10.22.57.4

169.254.0.2 (port 2 for HA should be 10. address)

xxx.xxx.18.210

fe80::250:56ff:fe81:3211

fe80::250:56ff:fe81:d342[/ul]

Anyone troubleshooting? Tried different port for HA and latest update for FortiAuthenticator. vSphere is on Version 6...Any help would be thankful!

roms · ‎03-11-2022

Hello,

Got quite the same behaviour.

HA is flapping very often.

And I can see also 169.254.x.x IP addresses for UDP heartbeats when I run a tcpdump insteaf of 10.x.x.x IP addresses assigned to port2

Did you resolve?

Debbie_FTNT · ‎03-14-2022

Hey roms,

the 169.254.x.x IP adresses are expected - FortiAuthenticator units build a tunnel between them and use those 169.254.x.x IPs for that.

Regarding your cluster flapping a lot, I would suggest to check the following:

- what firmware is your FortiAuthenticator? If not the newest, you could consider upgrading

- does your FortiAuthenticator cluster share the HA link with any other traffic that could cause delays/packet loss?

- if you are using the default HA timers (interval of 1000 ms and a tolerance of six missed heartbeats), you could consider increasing them to see if that helps a bit; it makes the ha link more resistant to the occasional packet loss but also means failover will take a bit longer to be initiated

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

roms · ‎03-17-2022

Hi Debbie,

Thanks for the input regarding the 169.245.x.x interface (good to know)

We are running 6.4.1. The 2 VM hav the dedicated HA link plugged on a separate network with only few servers (2-3).

I think we are going to play a little with the timers. From what we can see the failover occures 2.3 times a day

Unable to get HA working on FortiAuthenticator VM

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website