Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pj255
New Contributor

FortiGate Active-Standby Cluster - Seperate Management IP addess

Hi,

 

We're running a pair of 1000C's in A-P (v5.0,build3608 (GA Patch 7)).

 

We currently manage both FW's using MGMT1 with one dedicated IP.

 

Does anyone how to give the primary and secondary separate dedicated MGMT IP's ?

 

I'd like to use MGMT 1 on Primary and MGMT 2 on secondary - each with a different IP address.

 

Thanks,

PJ

1 Solution
kritt
New Contributor II

Hello mark9885,

 

I 've had the same error.

In my case, this error has been resolved by deleting :

- static route associated to mgmt

- source-ip setting in the syslog server config

 

Maybe that the error could appear if the mgmt interface is part of  firewall policies, this error could appear to.

 

I guess that the interface has not to be part of a specific configuration before to be used as reserved management interface.

 

 

View solution in original post

22 REPLIES 22
Jeff_FTNT
Staff
Staff

You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.

Config sys ha

set ha-mgmt-status     enable set ha-mgmt-interface   xx set ha-mgmt-interface-gateway x.x.x.x

end

pj255

Thanks Jeff!!!

 

il get a change scheduled and test this out.

 

 

 

Jeff_FTNT wrote:

You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.

Config sys ha

set ha-mgmt-status     enable set ha-mgmt-interface   xx set ha-mgmt-interface-gateway x.x.x.x

end

Fullmoon

Hi Jeff,

 

Sorry for hijacking this thread :).

Can you help or provide best practice on how to upgrade FGT 1240B in A-A and A-P. My client wants a smooth upgrade or no downtime as possible since they are airlines company.If my memory sevrves well they are using ver 4.0 MR2 Patch X, I am planning to upgrade to ver 4.0 MR3 Patch X.

 

In my own lab using FWF 60C simulated HA in A-A, seems I cant perfect to upgrade the firmware without downtime or interruption.Been read the admin guide and other posts seems I cant accomplished it.

 

Assuming, upgrade of firmware goes well. Since they are using FSSO for authentication, do I need to uninstall the old FSSO and install the new one or just installing new version of FSSO without reinstalling the old version? 

 

Regards

 

 

 

 

Fortigate Newbie

Fortigate Newbie
ggosain

hey Jeff

 

Does this change asks for reboot . ( it shouldnt " / wanted to be double sure before putting this change in prod )

 

exp0

 

Jeff_FTNT wrote:

You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.

Config sys ha

set ha-mgmt-status     enable set ha-mgmt-interface   xx set ha-mgmt-interface-gateway x.x.x.x

end

Jeff_FTNT

It will not ask for reboot,thanks

ggosain wrote:

hey Jeff

 

Does this change asks for reboot . ( it shouldnt " / wanted to be double sure before putting this change in prod )

 

exp0

 

Jeff_FTNT wrote:

You may try enable "ha-magmt-status " on both Master and Slave, set up different IP, you can manage Master and Slave with different IP.

Config sys ha

set ha-mgmt-status     enable set ha-mgmt-interface   xx set ha-mgmt-interface-gateway x.x.x.x

end

Jeff_FTNT
Staff
Staff

Hi Fullmoon,

HA have a option:set uninterruptable-upgrade {disable | enable}

You may try it in LAB with "set uninterruptable-upgrade enable". Before upgrade, it is better to back up setting.

For FSSO, no need any change, the user information will get from Windows AD server after upgrade. Hope it have some help, thanks.

Fullmoon

Jeff_FTNT wrote:

Hi Fullmoon,

HA have a option:set uninterruptable-upgrade {disable | enable}

You may try it in LAB with "set uninterruptable-upgrade enable". Before upgrade, it is better to back up setting.

For FSSO, no need any change, the user information will get from Windows AD server after upgrade. Hope it have some help, thanks.

I Jeff thank you for your reply. I guess by default "set uninterruptable-upgrade" was set to Enable. In my lab tried to upgrade my HA A-A couple of times with same effect.

Pls correct me if Im wrong if these procedure are correct, In my lab, updating my HA A-A thru GUI and to get a better picture whats going on behind my slave unit connect my console cable and seems updating works fine,I had a computer continuesly pinging to fortigate local ip and www.yahoo.com to check if theres any lose or rto's. Wait for a couple of minutes, then upgrade the firmware of the Master unit thru GUI, heres what I found out, seems Slave unit takes time to kick-in while the Master unit is the process of firmware upgrade. And I got 5-10 rto's before everything backs to normal.

 

Heres my HA settings for better picture

system hagroup-id : 0 group-name : FGT-HA mode : a-a password : * hbdev : "internal1" 50 session-sync-dev : route-ttl : 10 route-wait : 0 route-hold : 10 sync-config : enable encryption : disable authentication : disable hb-interval : 2 hb-lost-threshold : 6 helo-holddown : 20 arps : 5 arps-interval : 8 session-pickup : enable session-pickup-connectionless: disable session-pickup-delay: disable update-all-session-timer: disable session-sync-daemon-number: 1 link-failed-signal : disable uninterruptable-upgrade: enable ha-mgmt-status : enable ha-mgmt-interface : internal5 ha-mgmt-interface-gateway: 0.0.0.0 ha-eth-type : 8890 hc-eth-type : 8891 l2ep-eth-type : 8893 ha-uptime-diff-margin: 300 vcluster2 : disable vcluster-id : 1 override : disable priority : 128 schedule : round-robin monitor : "internal4" "wan1" pingserver-monitor-interface: pingserver-failover-threshold: 0 pingserver-flip-timeout: 60 vdom : "root" load-balance-all : disable

 

 

 

 

 

 

Fortigate Newbie

Fortigate Newbie
Jeff_FTNT
Staff
Staff

"then upgrade the firmware of the Master unit thru GUI, heres what I found out, seems Slave unit takes time to kick-in while the Master unit is the process of firmware upgrade."

 

Did you upgrade from Slave GUI firstly ? 

For upgrade, we just login from Master GUI and do upgrade. Master will send image to Slave and upgrade, Master wait for Slave finish upgrade, then upgrade itself. Thanks.

Fullmoon

Hi Jeff

 

The working mechanism of 'uninterruptable-upgrade' if ENABLED is as follows - I log into the webgui  - the webgui will show me the master  - I uploaded the firmware to the master  - the master will transfer the firmware to the slave using the heartbeat cable  - the slave will perform the firmware upgrade first  - during the slave upgrade, there will be no downtime because the master is still up  - when the slave is up,---------- The Master Unit didnt perform firmware upgrade this is the portion where I am lost. I can't comprehend why my Master unit didn't performing firmware upgrade. After the Slave successfully upgraded and totally UP, I waited for almost 10 mins or more to check what would happen next but it seems in GUI Master didn't initiate firmware upgrade until i forced to upload manually the firmware to Master unit. Can you spot my error why my Master didn't update its firmware after Slave successfully updated?

 

thanks

Fortigate Newbie

Fortigate Newbie
Labels
Top Kudoed Authors