Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Unexpected HA failover issues
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unexpected HA failover issues
Hello all,
i have an issue with two Fortigate 60B configured in HA active-passive mode
heartbeat interfaces:
- WAN1 connected through a switch with dedicated vlan ports (untagged)
- WAN2 connected directly with a cross cable
Randomly several times a day the cluster start an HA failover with these logs:
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:27 devname=company-fw2 device_id=FGT60B3908650580 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=slave hbdn_reason=neighbor info lost devintfname=wan2
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:27 devname=company-fw2 device_id=FGT60B3908650580 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=slave hbdn_reason=neighbor info lost devintfname=wan1
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:28 devname=company-fw1 device_id=FGT60B3908670675 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=neighbor info lost devintfname=wan2
Message meets Alert condition
The following critical firewall event was detected: Critical Event.
date=2012-04-13 time=22:49:28 devname=company-fw1 device_id=FGT60B3908670675 log_id=0105037901 type=event subtype=ha pri=critical fwver=040010 vd=" root" msg=" Heartbeat device(interface) down" ha_role=master hbdn_reason=neighbor info lost devintfname=wan1
- no power outage (firewalls and swithes are connected to an ups, switches are always online)
- no switch problems (no evidence of restart or problems in their logs)
I' ve tried to enable alternatively only one heartbeat interface, first wan1 then wan2, with no success.
When the HA failover occurr, clients inside lan lost their internet connection and all vpn tunnels are brought down causing big connectivity troubles
Initially there was only one firewall connected, working perfectly. When i added the second firewall in HA mode the problems started immediatley.
In the past I' ve configured several others units in HA mode with no problems. I cannot explain the reason of this malfunctioning.
I opened a support ticket more than one month ago, only to discovered that the technical support is very poor (one answer every 4-5 days) and it' s totally useless because they don' t have any idea how to solve the problem.
Thanks in advance for your support, you' re my last chance :)
Bye
Gianf
Bye Gianf
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please login to the cli and type the following:
config system ha show fullIt might have something todo with the timers for HA. Do you monitor the CPU usage of the units? Maybe there is a problem with one of the units causing a high cpu load? What software version do you use?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matthijs
this is the output:
config system ha
set group-id 0
set group-name " IG-HA"
set mode a-p
set password ENC xxxxxxxxxxxxxxxxxxxxxxxxxxx
set hbdev " wan1" 50 " wan2" 100
set route-ttl 10
set route-wait 0
set route-hold 10
set sync-config enable
set encryption disable
set authentication disable
set hb-interval 4
set hb-lost-threshold 20
set helo-holddown 20
set arps 5
set arps-interval 8
set session-pickup disable
set link-failed-signal disable
set uninterruptable-upgrade enable
set vcluster2 disable
set override disable
set priority 128
unset monitor
unset pingserver-monitor-interface
set pingserver-failover-threshold 0
set pingserver-flip-timeout 60
end
sw version 4.0 MR1 Patch 10, sorry i' ve missed that
According to tech support i' ve already modified the timers this way:
config system ha
set hb-lost-threshold 6 --> to 20
set hb-interval 2 --> to 4
end
but with no success.
Monitoring did not show high cpu usage. Session pickup,initially enabled, has been disabled.
Fortinet scheduled update has been set once a day out of working hours (3:00 am)
Tnx
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why do you use interface monitoring at all? You can achieve unit failure detection with HA heartbeats alone.
If your WAN device fails you can detect that via Gateway detection and re-route.
Which FortiOS version?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ede_pfau,
so do you suggest to disable monitoring?
Do you think this could be solve my problem and prevent further HA failovers?
OS 4.0 MR1 P10
Tnx
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
About units usage:
small office, ~40 users
mainly web and email traffic
only Fortinet web filtering enabled, no antivirus/antispam, default ips
3 ipsec vpn tunnels, 2 lan to lan and 1 roadwarrior
I was thinking to upgrade the fw to 4.0 MR2 or MR3 latest patch to see if the problem could be solved, last week i' ve asked the tech support about this with no answer :(
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so you have HA linked the FGTs on WAN2 (primarily) and WAN1. You do not monitor any link failure apart from these. So no need to change the configuration.
To me the configuration looks correct. If even increasing the timeout period doesn' t help...I would consider upgrading to v4.00 MR2 patch 12. To be honest I don' t see any striking errors which could solve the problem immediately. So, upgrading as a last resort.
Please note that there have been changes from 4.1 to 4.2, please read the Release Notes carefully!
Also, it would help if you are onsite while upgrading. If the cluster breaks during the upgrade there is a risk of loosing the slave.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ede_pfau
Please note that there have been changes from 4.1 to 4.2, please read the Release Notes carefully! Also, it would help if you are onsite while upgrading. If the cluster breaks during the upgrade there is a risk of loosing the slave.What are the relevant changes to pay attention in your opinion? I can manage 1-2 hours of internet outage, scheduling it at the end of working period I was thinking to upgrade according to these steps: 1) break the cluster and disconnect the 2nd unit 2) save the config 3) reset the 2nd unit to factory defaults 4) upgrade the 2nd unit to 4.0 MR2 5) reload the config to the 2nd unit 6) physically switch the two units 7) reset the 1st unit to factory defaults 8) upgrade the 1st unit to 4.0 MR2 9) connect the 1st unit and rejoin the cluster Do you think it' s a correct upgrade plan?
Bye
Gianf
Bye Gianf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why don' t you just try to upgrade them as a stack? If it fails, then you could break the stack and do it individually. Those issues may just be that the firmware level has problems with HA.
Also, and this is important: If you upgrade the unit in the factory default state, you cannot safely restore the older config. Each backup is only right for the level of code it was made from. You should load the same older version, then restore the config and upgrade with the config in place. This will give you the best chance at a working system after it' s all done.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can only support what Bob (rwpatterson) has posted. Keep it simple.
Regarding the changes, all details are in the RN. Judge for yourself if they are important to your setup.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,826 -
FortiClient
1,789 -
5.2
801 -
FortiManager
748 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
483 -
FortiAP
478 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
218 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
111 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
82 -
Customer Service
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
38 -
NAT
37 -
Certificate
37 -
SAML
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiGate-VM
25 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
SSID
17 -
OSPF
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1748 | |
| 1114 | |
| 765 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.