Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pasty13
New Contributor

Licensing, breaking HA, and re-configuring from scratch

Hi all,

 

When having to rebuild a config from scratch due to a corrupt config, does it matter which device we break HA from and factory reset?

 

Does licensing take into account which devices are masters versus which are slaves in an HA cluster?

 

Since the device that we consider the primary is currently active, can we just start this whole process on the device we consider secondary and is currently passive?

 

Thanks

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

What I would do in a case like yours is:

1. break HA and shut monitored interfaces on the current stand-by side outside of the unit (switch side).

2. I would reformat the drive and re-load the OS for both units but if you don't have local TFTP server available you need to skip this step.

3. then factory-reset both units one more time

4. configure the active side from scratch including HA.

5. reconnect HA and configure only HA portion on the stand-by, and let it sync with the active unit's config.

6. It might not necessary but I would reboot the stand-by unit again to keep uptime of the unit low.

7. Then, finally normalize the monitored interfaces on the stand-by side.

pasty13

Can this be done without disrupting services that are currently running?

Toshi_Esumi
Esteemed Contributor III

That's completely a different story.

1. shut the monitoring interface(s) of the active unit to trigger swap-over, then disconnect HA,

2. re-format the drive on the prefiously-active unit and reload the OS. You can configure from scratch on this unit and ready for swap back.

3. Since the config between them are potentially different, you have to do "hart-cut" without HA by shutting down the monitoring interfaces(s) of the previously-standby unit then unshut on the one you just configured from scratch. It would take some time to bring all back to normal since there is no copies of session on the unit.

For the rest you already know and I explained in the previous comment to do the format->resync the stand-by unit to the active one.

ede_pfau
Esteemed Contributor III

Whoa.

Why would you think you will have to break up the HA cluster?

 

If you factory-reset the master, the cluster is split automatically - as the master loses it's HA config. The slave will continue to run though, that's the purpose of HA.

 

The former master unit is blank now, and accessible at 192.168.1.99/24. Whether or not you keep the HA ports connected doesn't matter UNTIL you configure the HA setup.

 

To guarantee that the new config is swapped over to the slave AND NOT VICE VERSA, set the 'HA override' option on the master before committing the HA setup. Both units will reboot and form a cluster, the master's config will be copied over to the slave.

 

So, there is no way to avoid downtime completely. But following these steps configuration is easy and downtime is reduced to a minimum.

 

@Toshi: any objections? Did I skip anything?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors