Hello everyone,
When I upgrade my Ha clusters "fortigate appliance" I have downtime twice for about 40/30 sec.
The ha is configured as active-passive.
I am using gui to start the upgrade process from fortimanager.
Is that normal behaviour?
Kind regards,
Homan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Homan
I have update you regarding the HA failover i.e. Changing the role of the device.
Since once the device changes the role, other device which is going to be active now sends the GARP so that switch may be aware about the new interface to send the traffic.
So it depends on how fast the switch is able to do so.
You can change the arp setting in the HA configuration, but normally, you do not need to change this setting.
Refer the below document for the same if it helps:
https://help.fortinet.com/fadc/4-4-0/cli/Content/FortiADC/cli-ref/config_system_ha.htm
NOTE: It can be switch also taking the time to guide the network about the new device.
Hi @Homan
Thanks for your update, as while upgrading the devices in HA cluster the secondary upgrades first and then the secondary reboots and come up, then the up-gradation takes place for the Primary device.
So when the device is switching the role it sends the Gratuitous ARP to let the network know that now all the traffic has to be sent to that particular device.to notify the network that a new physical port has become associated with the IP address and virtual MAC of the HA cluster.
This is sometimes called “using gratuitous ARP packets to train the network,” and can occur when the primary node is starting up, or during a failover. Also configure ARP Packet Interval.
The valid range is 1 to 60. The default is 5 for the arp packets
So might be your are having cluster that has a large number of VLAN interfaces and virtual domains.
It can be switch also taking the time to guide the network about the new device.
You can change the arp setting in the HA configuration, but normally, you do not need to change this setting.
Refer the below document for the same if it helps:
https://help.fortinet.com/fadc/4-4-0/cli/Content/FortiADC/cli-ref/config_system_ha.htm
Hi @asengar,
Thanks for your reply.
is this behavior only with upgrade?
Because I believe with failover everything goes a bit faster.
Kind regards,
Homan
I assume you're talking about a circuit failover like from wan1 to wan2 as a "failover", that changes just an outgoing interface on the same FGT. HA is a whole FGT swap so all sessions have to be in sync to minimize the down time. You can't simply compare between them.
Toshi
Hi Toshi,
Thanks for your comment.
We have two data centers and there is a fortigate at each location. these two are configured as HA cluster active-passive.
By failover I mean changing the active-passive rule between the fortigates in the HA cluster.
kind regard,
Homan
Hi @Homan
I have update you regarding the HA failover i.e. Changing the role of the device.
Since once the device changes the role, other device which is going to be active now sends the GARP so that switch may be aware about the new interface to send the traffic.
So it depends on how fast the switch is able to do so.
You can change the arp setting in the HA configuration, but normally, you do not need to change this setting.
Refer the below document for the same if it helps:
https://help.fortinet.com/fadc/4-4-0/cli/Content/FortiADC/cli-ref/config_system_ha.htm
NOTE: It can be switch also taking the time to guide the network about the new device.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.