Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HungDT
New Contributor II

Created on ‎03-01-2024 06:53 AM

FortiAnalyzer HA can't work

Dear Everyone,

 

I have a problem with FortiAnalyzer HA. My lab have two FortiAnalyzers, they are configured HA together. Port 1,2 on FortiAnalyzer01, 02 are configured port aggregation, they are heart beat interface. Port 3 on FortiAnalyzer01, 02 are configured cluster virtual IP. I have successfully configured HA on 2 devices, but when i test HA failover (shutdow FortiAnalyzer01-Primary) then FortiAnalyzer02-Secondary don't change Primary role, I can't ping virtual IP. To provide further clarity on the issue, I attached some images.

Please let me know what happend to my FortiAnalyzers. 

 

Thank everyone so much.

Best Regards,

 

lab.jpglab1.jpglab2.jpglab3.jpg

537
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎03-01-2024 09:17 AM

Hello

It seems your vrrp didn't work.

Are port3 on the two FAZs on the same L2?

Did you try manually set FAZ1 as primary?

AEK
AEK
514
HungDT
New Contributor II
In response to AEK

Created on ‎03-03-2024 06:40 PM

Yes, port3 on the two FAZs are the same L2.

- I have set FAZ01 as primary but shutdown FAZ01 then FAZ02 doesn't change primary. the picture below is the status HA of FAZ02 after shutting down FAZ01. If you know the problem, please let me know. Thank you very much.

 

HA status_FAZ02.jpgHA_status1_FAZ02.jpg

469
0 Kudos
dbu
Staff
Staff

Created on ‎03-01-2024 11:36 AM

Additionally to what @AEK  said. 
Can you access the secondary node from CLI ? Can you verify the HA status from there ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
502
HungDT
New Contributor II
In response to dbu

Created on ‎03-03-2024 06:43 PM

Yes, I have inserted the picture below. if you know the problem or need information , let me know. Thank you very much. 

HA status_FAZ02.jpgHA_status1_FAZ02.jpg

 

 

468
0 Kudos
AEK
SuperUser
SuperUser
In response to HungDT

Created on ‎03-04-2024 04:25 AM Edited on ‎03-04-2024 07:54 AM

Hi

Can you try replace the current HA port with a non-aggregated port?

AEK
AEK
448
HungDT
New Contributor II
In response to AEK

Created on ‎03-04-2024 08:01 AM Edited on ‎03-04-2024 08:02 AM

I tried but it doesn't work. It is so bad. I don't know why. 

436
0 Kudos
HungDT
New Contributor II
In response to HungDT

Created on ‎03-07-2024 12:26 AM

Hi @AEK,

Do you have any ideas for my lab ? I have tried more methods but it doesn't work.

Thanks

348
0 Kudos
AEK
SuperUser
SuperUser
In response to HungDT

Created on ‎03-07-2024 06:37 AM

Hello @HungDT 

Following tech tip seems a good troubleshooting technique for your case.

https://community.fortinet.com/t5/FortiAnalyzer/Troubleshooting-Tip-How-to-troubleshoot-FortiAnalyze...

It is said that the tech tip if for Google Cloud's FAZ but I think it is applicable for any FAZ (I can see the faz-ha.log file on my FAZ).

You need to enable shell access first, then simulate a failover and check if any relevant logs in faz-ha.log.

AEK
AEK
329
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.