Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Unable to get HA working on FortiAuthenticator VM

Hi there,

For some reason I'm unable to get HA cluster (HIGH/LOW) running, it cannot see it's peer. Just after I installed the license it worked for an hour and then it didn't any more.


Here's my config:


> show system ha config system ha set mode enable set interface port2 set priority low set hb-interval 10 set hb-lost-threshold 6 set mgmt-ip set mgmt-access SSH HTTPS GUI set role cluster_mem


And the slony logs from HA


020-06-05T10:24:47.710904-04:00 scn00419 slon[3469]: [1-1] 2020-06-05 10:24:47 BOT ERROR cannot get sl_local_node_id - ERROR: relation "_fac_ha.sl_local_node_id" does not exist 2020-06-05T10:24:47.710931-04:00 scn00419 slon[3469]: [1-2] LINE 1: select last_value::int4 from "_fac_ha".sl_local_node_id 2020-06-05T10:24:47.710935-04:00 scn00419 slon[3469]: [1-3] ^ 2020-06-05T10:24:47.710938-04:00 scn00419 slon[3469]: [2-1] 2020-06-05 10:24:47 BOT FATAL main: Node is not initialized properly - sleep 10s


Strange thing is in vSphere when I list my IP addresses:


  • (port 2 for HA should be 10. address)
  • fe80::250:56ff:fe81:3211
  • fe80::250:56ff:fe81:d342[/ul]

    Anyone troubleshooting? Tried different port for HA and latest update for FortiAuthenticator. vSphere is on Version 6...Any help would be thankful!

  • 3 REPLIES 3
    New Contributor



    Got quite the same behaviour.

    HA is flapping very often.

    And I can see also 169.254.x.x IP addresses for UDP heartbeats when I run a tcpdump insteaf of 10.x.x.x IP addresses assigned to port2

    Did you resolve?




    Hey roms,

    the 169.254.x.x IP adresses are expected - FortiAuthenticator units build a tunnel between them and use those 169.254.x.x IPs for that.

    Regarding your cluster flapping a lot, I would suggest to check the following:

    - what firmware is your FortiAuthenticator? If not the newest, you could consider upgrading

    - does your FortiAuthenticator cluster share the HA link with any other traffic that could cause delays/packet loss?

    - if you are using the default HA timers (interval of 1000 ms and a tolerance of six missed heartbeats), you could consider increasing them to see if that helps a bit; it makes the ha link more resistant to the occasional packet loss but also means failover will take a bit longer to be initiated

    +++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

    Hi Debbie,

    Thanks for the input regarding the 169.245.x.x interface (good to know)

    We are running 6.4.1. The 2 VM hav the dedicated HA link plugged on a separate network with only few servers (2-3).

    I think we are going to play a little with the timers. From what we can see the failover occures 2.3 times a day


    Top Kudoed Authors