Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
moby
Contributor

HA and Remote Link Failover

Hi All,   Running an active passive Fortigate cluster and OS 5.4.8 - -we need to have remote link failover working so that if a ping target cannot be reached x times then the cluster fails over. We cannot make any sense of the results, when the ping target fails the cluster takes several minutes to failover and this has no relation to our timers. Has any one else seen strange results like this? Is anyone else running it with good predictable and reliable results? If so in which firmware version. The config for HA and link-monitor is below:   config system ha     set group-name "xxxxxxx"     set mode a-p     set password ENC xxxxxxx     set hbdev "port1" 100 "port2" 50     set ha-mgmt-status enable     set ha-mgmt-interface "mgmt1"     set ha-mgmt-interface-gateway 10.200.254.250     set override enable     set priority 200     set monitor "port16" "port40"     set pingserver-monitor-interface "port20"     set pingserver-failover-threshold 5     config system link-monitor     edit "HA_Ping_Failover"         set srcintf "port20"         set server "10.10.10.1"         set interval 3         set timeout 3         set failtime 3         set recoverytime 3         set ha-priority 10   Any feedback appreciated.   Thanks, Moby.
11 REPLIES 11
emnoc
Esteemed Contributor III

Do you have the the flip imeout variable set

 

"set pingserver-flip-timeout"

 

But no, I have not seem any issues with HA failover due to remote-target  being unreachable. We like to set a  high threshold to avoid premature failover due to glitch or bump in our network.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
moby

Hi Ken,

 

Ok thanks for the feedback - -yes we have tried it with the Flip Timeout set too -- but our problem is that it takes several minutes to fail over once the target is down. And that does not make any sense to me since our timers should mean it should failover in approx 9 seconds. We have a TAC case open and waiting....................

 

Thanks, Moby

emnoc
Esteemed Contributor III

IIRC  link monitor had some issues back in v5.2.x maybe this rolled into 5.4.x ;)

 

Did you do any based level diagnostics  and  if so  what did it state?

 

   diag sys link-monitor interface <interface name >

 

 

Also did you execute log display and look for the sys event at the failure

 

  e.g

 

     execute log filter cat  1

     execute log display

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
moby

Hi Ken,

 

I did use diag sys link monitor, and it took a long time for the link monitor to go to the die state. Thanks for the log filter and log display tip - -that is a new one which I didn't know existed, should be useful.

Moby.

moby

Hi Again,

 

A correction on my last post. The link monitor does go to the die state, but this does not trigger a failover. Seems to be broken in 5.4.8 and 5.6.3  - -running 2X 1500D 5.4.8 and two 2X 500E 5.6.3 - -not working on both. Had a session with the TAC and now waiting feedback.

 

Moby.

Armando_Gomez_Barrio

I had a similar problem, you managed to resolve it?

 

Best regards...

Armando Gómez
Armando Gómez
Armando_Gomez_Barrio

if you use route dinamic, I recommend you configuring graceful restart for dynamic routing failover with route wait.

 

You should also increase the HA route time to live

config system ha

set route-ttl 60

set route-wait 60

set route-hold 60

end

 

Best regards.

Armando

Armando Gómez
Armando Gómez
moby

Hi,

 

Fortinet TAC tell me that it is a bug for 5.4.8 and 5.6.3  - so currently waiting to find out when it will be fixed and then to confirm this.

 

Moby

Toshi_Esumi
Esteemed Contributor III

You don't even know if a bug report exists already. Or did you see this in one of release-notes as an known issue? If a bug report doesn't exist, it wouldn't be fixed with at lease next releases (5.6.4 is expected next week). Please open a ticket with TAC and get a bug report created if not yet.

Labels
Top Kudoed Authors