Hi all,
I have an environment setup in GNS to learn about HA.
I have the units bonded together and I can confirm that the HA is working as expected, if i drop a link, then the HA activates, and traffic passes over the other. And if i restore the link, and reset the uptime counter, traffic is restored.
However, When its in HA mode, and i simulate the failure by removing the WAN link on the 'primary' unit, i cant access the UI at all using the MGMT ip (which i now expect to be the original 'passive' unit). until i restore the link i have broken, and revert the HA uptime timer using the CLI
I have the interfaces so that port 5 is wan for each, connected to an upstream switch which is the wan.
I have port 10 configured as my 'mgmt' interface
and port 9 is the HA Heart beat cable
and i can access the GUI normally under normal circumstances using port 10 on 192.168.100.41. however, when i remove the link, then this breaks, and i cant access it at all.
Is that expected? or have i goofed somewhere? I would have thought that since the passive unit is essentially a mirror copy of the primary, when it becomes the active unit, it should respond on the 'mgmt' ip?
primary # sh system ha
config system ha
set group-name "ha"
set mode a-p
set password ENC ypG1ywLOvZfmcCUSS1BDFySUt7wP76JxUK0vYerdNtUEOOwyFIzg9BNeRBonb4bTNekRsECmIUYrqybXqzjCSLS76FNJEVK9t3v+6JG8yHVMqSohu2++0mKfF51XnBE8QCo1quX2Gr1R9iIAg8sgGWqBn3Xd6BRQ4k59fKxOoI05ZdsywtLRm4g0oG5h1V/18CxUEA==
set hbdev "port9" 0
set session-pickup enable
set override disable
set priority 250
set monitor "port5"
end
backup # show sys ha
config system ha
set group-name "ha"
set mode a-p
set password ENC J4dgKRZKg1Sh3mRsxYy6tGXvAHn6h577PfXzvRIFX1k9RpFeZG28gsrEjDsm0s96UbhoLQ1vd0cfvMtBLf1cdqJWXdwksyJoXFf31D/HiDcjrCuotqPHE7Ve2ZdQoHKXQMTCbcabyjloLpbnPj876X1yDxpHeAEU36ufdMVbtbnZ8vZTyXu4FT+tccIqJeE3oFdu2A==
set hbdev "port9" 0
set session-pickup enable
set override disable
set priority 200
set monitor "port5"
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Jbates,
You should use different IP addresses for each mgmt port on each Fortigate, doing that you will make sure each FGT has its own mgmt IP address. The article https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Reserved-Management-Interface/ta-p/1901... explains that.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1060 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.