- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- failed HA device
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
failed HA device
Hello Everyone,
We have a fortigate 3600 in active-passive mode. the active has encountered failure & will be replaced.
We are looking at some steps on how to replace this faulty unit & make sure the configurations etc are in sync for failover pair to work properly.
Appreciate all help
Suthomas
Suthomas
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just rebuild the HA members and other parameters ( cluster id, parameters, password ). Once the units are reconnected, the new RMA unit will sync the cfgs.
Pretty straight forward, should be a 5min or less task.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also make sure that the firmware levels match.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HA members and other parametersmake sure that the priority is lower and " set override" is set to disabled. otherwise you could sync your empty configuration to the other one...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agreed, everything can run smoothly IF you watch out for some traps.
1. Usually you will have to DOWNgrade the replacement unit to match the firmware build of the remaining unit. If you do that (and esp. if coming down from v5) it could not harm to do a ' exec formatlogdisk' on the new FGT.
2. Then, set the hostname (!!!) on the new unit to some meaningful string - this can be quite clumsy to do after forming the cluster.
3. If available, set the Remote cluster member management port (a dedicated port with an IP address which will not be sync' ed). This allow you for instance to SNMP monitor each member of the cluster.
4. After that, configure identical values for cluster_ID (most important). This determines the virtual MAC addresses of the cluster ports.
5. I' ve never used a password on the HA communications but if you do then copy that as well.
6. Switch off all port monitoring, on both units. You can enable that after the cluster is running stable. This is to avoid unnecessary failing over during setup, cabling etc.
7. Next, HA priority on the new unit should be at the default of 128. Make sure (!) that your running FGT has a higher priority, or even has ' HA override' enabled. Just imagine seeing a production unit being blanked out by a replacement unit when clustering because the sync went the wrong way around.
I' ve even restored the current config onto the replacement just to make sure.
8. Watch the messages on the (old) primary unit' s console port.
9. Power off the replacement, connect all cables, and power on.
10. After 2-3 minutes, the ' cluster member out of sync' messages should be past ' phase 4' and be ready.
You can check that the configs are finally synchronized with ' diag sys ha showcsum' .
11. You can get to the secondary unit either via the dedicated Remote Mgmt interface, or via the primary' s CLI:
' exec ha manage 1' . While on the secondary unit, the prompt changes (that' s why the hostname is important). Here, you can run ' diag sys ha showcsum' to compare checksums.
Ain' t too complicated. I will do that on Monday as well.
Good luck!
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2. Then, set the hostname (!!!) on the new unit to some meaningful string - this can be quite clumsy to do after forming the cluster.Just curious, what is the problem with changing the hostname after the cluster is formed besides that you have to manage the slave from the cli ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just that.
It' s not obvious for everybody how to get to the slave' s CLI.
But of course, it' s no magic.
I' ve set up a cluster yesterday and it helped to see an unambiguous identifier in every spot (widgets, HA page, CLI etc.) which tells you which machine you are working on at the moment. It' s just one of the things you prepare in advance like the other parameters (group ID, ...).
Funny enough, when the cluster was up and running I pushed my customer to deliberately fail one of the units (i.e. to switch it off). You only know that you have a backup if you try to restore...and when switching it on again, the unit complained (in other words)
" Different hdisk equipment. Cannot form cluster. Shutting down."
And I didn' t see that on the console for a while - just stared at a powered-on but not running Fortigate.
The thing was that while upgrading to 4.3.15 one of the units already had the internal flash disk formatted while the other didn' t. Formatted the disk and the cluster formed. Easy in hindsight :)
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- SDWAN Rules not loading. Circle of... 85 Views
- Issues with activating proxy mode in... 74 Views
- IPSec tunnel error : no SA... 137 Views
- IPSEC Down After Changing the IP... 66 Views
- what "This can be a challenge... 185 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.