Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SurfnProtect
New Contributor

Unable to get HA working on FortiAuthenticator VM

Hi there,

For some reason I'm unable to get HA cluster (HIGH/LOW) running, it cannot see it's peer. Just after I installed the license it worked for an hour and then it didn't any more.

 

Here's my config:

 

> show system ha config system ha set mode enable set interface port2 set priority low set hb-interval 10 set hb-lost-threshold 6 set mgmt-ip 10.22.61.2/255.255.255.0 set mgmt-access SSH HTTPS GUI set role cluster_mem

 

And the slony logs from HA

 

020-06-05T10:24:47.710904-04:00 scn00419 slon[3469]: [1-1] 2020-06-05 10:24:47 BOT ERROR cannot get sl_local_node_id - ERROR: relation "_fac_ha.sl_local_node_id" does not exist 2020-06-05T10:24:47.710931-04:00 scn00419 slon[3469]: [1-2] LINE 1: select last_value::int4 from "_fac_ha".sl_local_node_id 2020-06-05T10:24:47.710935-04:00 scn00419 slon[3469]: [1-3] ^ 2020-06-05T10:24:47.710938-04:00 scn00419 slon[3469]: [2-1] 2020-06-05 10:24:47 BOT FATAL main: Node is not initialized properly - sleep 10s

 

Strange thing is in vSphere when I list my IP addresses:

 

[ul]
  • 10.22.57.4
  • 169.254.0.2 (port 2 for HA should be 10. address)
  • xxx.xxx.18.210
  • fe80::250:56ff:fe81:3211
  • fe80::250:56ff:fe81:d342[/ul]

    Anyone troubleshooting? Tried different port for HA and latest update for FortiAuthenticator. vSphere is on Version 6...Any help would be thankful!

  • 7 REPLIES 7
    gateways
    New Contributor

    Hello ! I am experiencing the same error.. do you by any change have solved it ?

    Daniel4k4k
    New Contributor

    Hi i also experience this did any of you find a solution?

    Thank you.

    Debbie_FTNT

    Hey guys,

    FortiAuthenticator active-passive HA can sometimes be a bit tricky.

     

    Regarding the 169.254.x.x IPs suddenly appearing - this is correct; the HA interfaces have the assigned IP but also start up a service with the IP 169.254.x.x on the same IP for HA communication; if you collect a packet capture on the HA link you would see a lot of UDP 720 with the 169.254.x.x IPs :)

     

    Regarding the "ERROR: relation "_fac_ha.sl_local_node_id" does not exist" message:

    This is quite common when a cluster is being established or the nodes are trying to communicate with each other but for some reason not managing to form a cluster. Usually, if the cluster forms properly, these messages should stop after a few minutes.

    If they pop up continuously, this indicates the nodes are probably seeing each other in some manner, but not able to form a cluster for whatever reason.

     

    A few things you can try:
    - if you're on a 6.2 version, upgrade to 6.3 or 6.4; 6.2 has some known issues with clustering

    - disable HA on both units, and then enable again to restart the HA process

    - reboot both units at the same time; sometimes there can be issues with forming a cluster and agreeing on which unit is the cluster primary if one of the units has a high uptime

    Also verify:

    -> there is no firewall/router between the two nodes limiting communication (some of the HA setup involves Ethernet broadcasts)

    -> the same cluster password is set on both units

    +++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
    Daniel4k4k

    Hi Debbie, Thank you for the quick reply.

    My configuration is active-passive with DR site.

    So both FortiAuthenticator are in different locations using IPSEC tunneling.

    I do not use cross cabling.

    Is it still possible to enable the HA knowing the FortiAuthenticator creating 169.254.X.X IPS.?

    If it is possible what is the best way to implement it.?

    Regards,
    Daniel.

    bpozdena_FTNT

    You really should be considering the use of A-A load balancing method for geo-separated cluster members. 

     

    If you for some reason must use A-P on this topology, you should be considering the use VXLAN over IPsec of similar solution. You basically need to ensure L2 connectivity between the cluster members. You will also most likely need to tweak the heart beat timer with the bellow commands. 

     

     

    config system ha
      set hb-interval <interval_integer>
      set hb-lost-threshold <threshold_integer>
    end

     

     

    HTH,
    Boris
    Debbie_FTNT

    Hey Daniel,

    you need layer 2 connectivity between the two nodes as far as I know - so the Ethernet broadcasts the units send can find the other unit. Just allowing the 169.254.0.0/16 subnet would not be enough.

    If you can get the IPSec tunnel to behave as a layer2 connection between the two FortiAuthenticators, then yes, an active-passive setup would work, but the whole point of the active/passive setup is that the two units appear as one in your network, with one in standby ready to take over.

     

    You could consider a load-balancing cluster instead - that only requires layer 3 connectivity, the units can find each other with their interface IP and establish an OpenVPN tunnel as HA link between themselves automatically.

    A load-balancing cluster would essentially be two independent FortiAuthenticators that share a user database; they would have their own routing and network infrastructure and might serve different client devices, but the same users could authenticate on either, and use the same token if they have one assigned.

    https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-How-to-configure-FortiAuthenticat...

    A KB on load-balancing cluster for a more in-depth read :)

    +++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
    Akmostafa

    Hi Debbie,

    I have some undigested points regarding HA as the documentation is too brief regarding this topic.

    Firstly, when using A-P clustering, do I have to configure both units interfaces with typical IP address? and from the RADIUS clients point of view, what is the IP that should be used to communicate with FAC?

    Secondly, I understand that in A-A load balancing that a load balancing mechanism is required (DNS) ie, the primary FAC does not preform the load balancing, it is just synchronizing the conjuration to the load balancer? right?

     

    And if I have only two FAC units, can I configure the A-A load balancing scenario? In other words, in this case I have one primary stand alone node and one load balancer, so in the of the primary node, how would RADIUS clients will be redirected to the remote load balancer?

    Labels
    Top Kudoed Authors