Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexandreL
New Contributor

[HA Issue][v5.4.1] Going back to standalone after a reboot.

Hi everybody.

 

I'm setting up a new Fortigate HA cluster (300D) and i have a strange issue. Each time i have to reboot a node of the cluster, he came back as a standalone Fortigate. 

 

Any idea how i can resolve that ? This is pretty annoying.

 

Here is the HA configuration.

config system ha
set group-name "Toto"
set mode a-p
set password ENC toto
set hbdev "mgmt1" 50 "mgmt2" 50
set session-pickup enable
set ha-mgmt-status enable
set ha-mgmt-interface "Management" <= this is actually a vlan interface
set ha-mgmt-interface-gateway x.x.x
set override disable
end

1 Solution
pyy
New Contributor III

Hi Can you try to unset this

set ha-mgmt-interface "Management" <= this is actually a vlan interface

and dont use vlan interface just a physical

View solution in original post

22 REPLIES 22
ede_pfau
Esteemed Contributor III

Could you please clarify: the FGT is a master in HA after reboot, or standalone i.e. not in HA mode?

 

If it is a master, then I'd try to use different ports for the HA heartbeat. The management ports have restrictions.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
AlexandreL

After reboot the FGT is in standalone mode.

 

If the master (or the slave) is rebooted, he lost the HA configuration and is shown as a FGT working in standalone mode when i connect to it using serial.

The Management interface (vlan) also disappear after the reboot. Everythings else seems to remains.

hklb
Contributor II

ede_pfau wrote:

If it is a master, then I'd try to use different ports for the HA heartbeat. The management ports have restrictions.

Hi,

 

Sorry for this question out of topic, but could you please explain which are these restrictions? For me, the only difference is these ports are not attached to NPX asic..

 

Lucas

claumakurumure
New Contributor III

Do you have PPPoE or DHCP enabled on any port?

hezvo uko
hezvo uko
ede_pfau
Esteemed Contributor III

@hklb:

the mgmt ports do not route - i.e. there are no routes established (automatically) in the routing table for their addresses, like with other ports. This way, you can assign an address in an address range which is already in use by another port - the only exception in a routing FGT.

The main advantage of this is that you can assign separate addresses to each HA cluster member to be able to manage it via WebGUI or ssh.

 

@claumakurumure:

If any port uses DHCP or PPPoE he wouldn't be able to change from 'standalone' into 'HA' mode to start with.

 

@OP:

I'd say there's something gone bad. Could you

- save your config

- have the current firmware image handy

- reboot and stop the boot by hitting any key

- reformat the flash drive

- reload the firmware via TFTP

- reload the config via TFTP or WebGUI

 

When connecting the units, disable all port monitoring first. Only after having the cluster up (even after reboots) re-enable monitoring.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
AlexandreL

claumakurumure wrote:

Do you have PPPoE or DHCP enabled on any port?

No i don't have DHCP or PPPoE activated on any port.

michaelbazy_FTNT

I would raise a support ticket with Fortinet to be sure that It Will be fixed in the next release.

To "patch" the issue in your environment, I would backup the config for each member, put It on usb sticks and renaming it on all sticks "fgt_system.conf" then have it plugged on each member (be sure to check the ha part). 

That way, when your fortigates are rebooting, they load the config file from the usb stick.

Let me know if that xorks for you.

Regards,

I'm operating by "Crocker's Rules"
michaelbazy_FTNT

Also : 

@claumakurumure

@ede_pfau Starting 5.2, FortiOS supports PPPoE & DHCP interfaces in HA!
I'm operating by "Crocker's Rules"
AlexandreL

I already open a support ticket with Fortinet.

 

With your solution, I guess i will have to make a new backup with each new modification of the firewall configuration (Like new policy rule) ?

Labels
Top Kudoed Authors