need assistance understanding HA A-P

jbates · ‎10-29-2024

Hi all,

I have an environment setup in GNS to learn about HA.

I have the units bonded together and I can confirm that the HA is working as expected, if i drop a link, then the HA activates, and traffic passes over the other. And if i restore the link, and reset the uptime counter, traffic is restored.

However, When its in HA mode, and i simulate the failure by removing the WAN link on the 'primary' unit, i cant access the UI at all using the MGMT ip (which i now expect to be the original 'passive' unit). until i restore the link i have broken, and revert the HA uptime timer using the CLI

I have the interfaces so that port 5 is wan for each, connected to an upstream switch which is the wan.

I have port 10 configured as my 'mgmt' interface

and port 9 is the HA Heart beat cable

and i can access the GUI normally under normal circumstances using port 10 on 192.168.100.41. however, when i remove the link, then this breaks, and i cant access it at all.

Is that expected? or have i goofed somewhere? I would have thought that since the passive unit is essentially a mirror copy of the primary, when it becomes the active unit, it should respond on the 'mgmt' ip?

primary # sh system ha
config system ha
    set group-name "ha"
    set mode a-p
    set password ENC ypG1ywLOvZfmcCUSS1BDFySUt7wP76JxUK0vYerdNtUEOOwyFIzg9BNeRBonb4bTNekRsECmIUYrqybXqzjCSLS76FNJEVK9t3v+6JG8yHVMqSohu2++0mKfF51XnBE8QCo1quX2Gr1R9iIAg8sgGWqBn3Xd6BRQ4k59fKxOoI05ZdsywtLRm4g0oG5h1V/18CxUEA==
    set hbdev "port9" 0
    set session-pickup enable
    set override disable
    set priority 250
    set monitor "port5"
end

backup # show sys ha
config system ha
    set group-name "ha"
    set mode a-p
    set password ENC J4dgKRZKg1Sh3mRsxYy6tGXvAHn6h577PfXzvRIFX1k9RpFeZG28gsrEjDsm0s96UbhoLQ1vd0cfvMtBLf1cdqJWXdwksyJoXFf31D/HiDcjrCuotqPHE7Ve2ZdQoHKXQMTCbcabyjloLpbnPj876X1yDxpHeAEU36ufdMVbtbnZ8vZTyXu4FT+tccIqJeE3oFdu2A==
    set hbdev "port9" 0
    set session-pickup enable
    set override disable
    set priority 200
    set monitor "port5"
end

DPadula · ‎10-29-2024

Hi Jbates,

You should use different IP addresses for each mgmt port on each Fortigate, doing that you will make sure each FGT has its own mgmt IP address. The article https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901... explains that.

ezhupa · ‎10-30-2024

Hello,

Do you have the possibility to simulate a console access on the virtual environment?
It would be interesting to know if port5 is up on the secondary device as well.

Since port5 is added as an interface to be monitored, if you send it manually down on the primary-> this should trigger a failover to the secondary device which would become primary and accessible at the same IP. But if both are down the HA primary selection algorithm will continue to check next variables such as uptime and priority which should lead to the same primary getting selected and thus -> not being able to access the devices.
Check also if on the secondary the same IPs are present in the config (which should be the case if the HA is in sync)
But I believe that somehow the WAN link is not up on the secondary as well and this causes the HA not to failover in this case, but fails over without any issues when resetting the up timer.

Hope this helps.

need assistance understanding HA A-P

Nominate a Forum Post for Knowledge Article Creation