Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
firas
New Contributor II

Created on ‎06-06-2023 08:03 AM

secondary forti in HA active active is not accessible when I disconnect the primary

Community,

I have the below:

2 fortigate 200F ( HA cluster active active 1st is primary and 2nd is secondary) connected to a core switch with 2 connection each firewall ( 4 connection in total).

the issue is when i try to test the HA active active and I remove the forti primary connection with the core switch, I have no access to the secondary forti ( cannot ping over the ip address that I gave for the both 200F).
The configuration in the core switch is with port channel (channel group) mode active and in the forti is 802.3ad aggregate.

Please Help.

Kind regards

 

Labels:
2656
0 Kudos
1 Solution
Muhammad_Haiqal
Staff
Staff

Created on ‎06-06-2023 06:37 PM

Hi @firas ,

Any HA deployment highly depend on the network design. Based on behavior, looks like your network only works on the primary unit. When primary down, the network itself did not failover to the secondary unit.

And you did mentioned about 2 ports suspended in ethernet channel. I believe it suspended on the switch level to prevent looping. Which may triggered by Spanning Tree Protocol.

This link may be helpful to help you troubleshoot on the issue:
https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50620


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Aggregate-link-configuration-topologies-in...


https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD47572

 

haiqal

View solution in original post

2614
3 REPLIES 3
firas
New Contributor II

Created on ‎06-06-2023 08:30 AM

To add to this, I found that I have 2 ports suspended in the ethernet channel for the secondary forti.

 

 

2642
0 Kudos
Muhammad_Haiqal
Staff
Staff

Created on ‎06-06-2023 06:37 PM

Hi @firas ,

Any HA deployment highly depend on the network design. Based on behavior, looks like your network only works on the primary unit. When primary down, the network itself did not failover to the secondary unit.

And you did mentioned about 2 ports suspended in ethernet channel. I believe it suspended on the switch level to prevent looping. Which may triggered by Spanning Tree Protocol.

This link may be helpful to help you troubleshoot on the issue:
https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD50620


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Aggregate-link-configuration-topologies-in...


https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD47572

 

haiqal
2615
firas
New Contributor II
In response to Muhammad_Haiqal

Created on ‎06-09-2023 12:34 AM

Thank you for your reply. I followed the below link and it solved my problem.

Technical Tip: Aggregate link configuration topolo... - Fortinet Community

2583
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.