Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Simo94
New Contributor

Created on ‎03-19-2025 03:32 AM Edited on ‎03-19-2025 03:35 AM

mgmt interface not accessible in HA cluster

hi Team,

 

HA : A-P

models : 901G

 

so I connect to the mgmt interface of the fortigate with RJ45 to setup the cluster. everything is going fine I setup the member that I'm connected to to be the primary. after the cluster is up I changed the mgmt interface ip from 192.168.1.99 to an ip of our network 10.189.1.25/29 with command :

set ip 10.189.1.25 255.255.255.248 

set allowaccess https ping ssh

 

 and I also change the ip of my PC that im connected with to the mgmt interface to 10.189.1.26/29 and set the default gateway to 10.189.1.25(also tried without gateway and didnt work)

 

 so after I done so the connection was lost and I couldnt connect back. so I ran a ping from my PC and then I ran a debug flow and I only see some multicast DNS traffic 

from my PC but no ping traffic.  then I set the ip of the mgmt interface again but this time I used :

 

set management-ip 10.189.1.25 255.255.255.248

 

and the access worked again. the problem with the above command is that it is not synchronized between HA members and we want to use that mgmt interface to always be able to access the primary member in case failovers. I already setup a reserved HA management interface on each member to be able to access the members individually which works fine but we want to use the mgmt interface to always access the primary but it doesnt work.

 

config on mgmt interface :

 

config system interface
edit "mgmt"
set vdom "root"
set ip 10.189.1.25 255.255.255.248
set allowaccess ping https ssh http
set type physical
set role lan
set snmp-index 1
next
end

 

so basically we are not able to access the mgmt interface which has its ip configured using 'set ip' command in a HA cluster.

 

one thing to note is that I reset factory one member(just to test again) without creating a cluster and I used the 'set ip' command and it worked so the command just doesnt work when it is in a cluster.

 

we have another HA cluster of 401 and the "set ip" command on the mgmt interface works fine.

 

 

 

 

 

 

 

omis94
omis94
Labels:
210
0 Kudos
6 REPLIES 6
ebrlima
Staff
Staff

Created on ‎03-19-2025 09:02 AM

Hello @Simo94 

 

Did you define the gateway  in the HA configuration?

 

Please share the result of:

 

#show sys ha

#get router info kernel [this display the route for the mgmt netwok]

 

Also, you can check the guide below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901...

Eudes Lima
176
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-19-2025 09:06 AM

In HA, mgmt port is supposed to be used for "dedicated-to" outband management interface by default. If you want to do inband management, you can either use an existing interface for user traffic or configure a VLAN interface on top of it if you want the subnet to be separated.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-dedicated-mgmt-feature-Out-of-ba...

Toshi


172
Simo94
New Contributor
In response to Toshi_Esumi

Created on ‎03-19-2025 10:32 AM Edited on ‎03-19-2025 10:35 AM

hi Toshi,

 

thank you for your response.

 

we want the mgmt interface to be used as out of band while also being synced between the members so that we can always access the primary member using one IP address. we already can access the individual members using the reserved management interface on the HA with port1. we already have a cluster with 401 on which we are able to access the primary on the mgmt interface and we want to achieve the same thing with 901 but its not functioning

 

I created a subinterface under mgmt and assigned a VLAN but it still would not work and I removed it

 

my routing table : 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.189.1.22, External, [1/0]
C 10.189.1.16/29 is directly connected, Lan-Office-1951
C 10.189.1.24/29 is directly connected, mgmt

 

as I mentioned before even if I connect my PC directly to mgmt interface and assign my PC 10.189.1.26/29 and try ping or whatever( have ping and other services enabled on that interface) it wouldn't work. but if I set the ip of mgmt interface using the command "set management-ip 10.189.1.25/29"  it works but as you know the "set management-ip" doesnt get synced between members and if a failover happens we be NOT able to access the primary member using the mgmt interface but we would access it using the reserved management interface on the HA but we don't want to do that all the time because in case of a failover we would have to figure out which member is primary by logging into the member individually using the reserved management interface (port1) and then found out which is the primary but we dont want to do that because we want to have one interface (mgmt) on which we can always access the primary no matter the failover. s o we want to have an out of band IP taht always follows the primary.

omis94
omis94
158
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Simo94

Created on ‎03-19-2025 10:55 AM

It's designed to do in opposite way. Mgmt as dedicated-to management interface, which is outside of HA sync while port1 is subject to HA sync, which both sides have the same IP. Unless you have any particular reason you HAVE TO swap roles of those two ports, I would recommend the FGT standard way, which you can find many documents talking about the management interfaces in HA. Besides, mgmt port has some limitations.

But if the same config work on FG401x, I would think the same config works on FG901G as well unless the particular version of software on the 901G has a problem supporting the G-series hardware. I don't have any further idea.

Toshi

147
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎03-19-2025 12:04 PM

Hi @Simo94 ;

 

1) You need to check whether there is an entry for the new 10.189.1.24/29 subnet;

 

get router info routing-table all

 

2) Run the following command to see whether your Ping traffic is hitting your interface or not:

 

diag sniffer packet any 'icmp and host 10.189.1.26' 4

 

Run Ping (not continuous Ping) on your client.

 

3) Run "get sys arp" on FGT. You are supposed to see an entry with 10.189.1.26.  If not, something prevents the ARP packets between FGT and your client machine.

 

Regards,

Jerry
113
0 Kudos
Simo94
New Contributor
In response to dingjerry_FTNT

Created on ‎03-22-2025 06:25 PM

hi Guys,

 

thank you very much for your help.

 

 

it turned out to be a transient issue which got resolved by restarting fortigate multiple times. now I can use the mgmt interface like a normal interface. im not really sure what causes these kind of issues but I struggled with it for days and I had to restart fortigate multiple times for it to resolved.

omis94
omis94
51
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.