Hot!FG300D HA failover

Author
kinmun
Gold Member
  • Total Posts : 208
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/04 17:56:59
  • Status: offline
2019/06/11 09:09:44 (permalink)
0

FG300D HA failover

i have a pair of FG300D, recently we noticed that the master is having alot of error message.
my fortiOS is version 5.4.4
 
how do i force/swap the HA failover ? 
so that the slave will now act as the mater 
what is the cli command
i try diagnose sys ha reset-uptime have no effect.
#1

9 Replies Related Threads

    Philippe Gagne
    Bronze Member
    • Total Posts : 41
    • Scores: 4
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: FG300D HA failover 2019/06/11 09:29:48 (permalink)
    0
    Hi,

    Juste change the priority of the current slave higher than the current master. Default value is 128, put 200 as an example! Role should move to the other member.

    Regards,

    Phil
    #2
    hubertzw
    Bronze Member
    • Total Posts : 38
    • Scores: 1
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: FG300D HA failover 2019/06/11 13:38:03 (permalink)
    0
    Hi
    it depends which option you have: 'override disabled' or 'override enabled'. You can check it here:
     
    show system ha
     
    With 'override disabled' (default mode) the order is:
    1) number of monitored interfaces
    2) HA uptime (the difference between peers must be higher than 5 minute to use this one, below 5 minutes is treated as the same value)
    3) priority
    4) serial number
     
    With 'override enabled' :
     
    1) number of monitored interfaces
    2) priority
    3) HA uptime (the difference between peers must be higher than 5 minute to use this one, below 5 minutes is treated as the same value)
    4) serial number
     
    With the 1st option to trigger failover you reset the HA uptime (on the active one) and with the 2nd you must change priority (higher value is preferred).
     
    You should stay with default settings (override disabled). It's more stable version and requires less planning. You may prefer 'override enabled' with virtual-clustering in active-passive mode.
     
     
     
    #3
    kinmun
    Gold Member
    • Total Posts : 208
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/04 17:56:59
    • Status: offline
    Re: FG300D HA failover 2019/06/11 18:24:02 (permalink)
    0
    my show sys ha is below
    override is disable.
     
    IER2_FW01 # show system ha
    config system ha
    set group-name "GV-TIER2-FW-HA"
    set mode a-p
    set hbdev "mgmt1" 50 "mgmt2" 50
    set session-pickup enable
    set override disable
    set monitor "port1" "port2" "port3"
    end
     
    i have set priority for slave to be 200 instead of default of 128 but nothing changed.
    master is still the one with issue.
    do i need to restart the FW??
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: FG300D HA failover 2019/06/12 05:23:23 (permalink)
    0
    Just pull the cable on port1 (or port2, port3)  on the master unit, it's monitored. Cluster will fail over then.
    A failover needs an event to happen, changing the config is not sufficient.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    hubertzw
    Bronze Member
    • Total Posts : 38
    • Scores: 1
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: FG300D HA failover 2019/06/12 15:19:18 (permalink)
    0
    Resetting HA uptime should trigger the failover. It can be a bug I didn't find anything for this version
    #6
    kinmun
    Gold Member
    • Total Posts : 208
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/04 17:56:59
    • Status: offline
    Re: FG300D HA failover 2019/06/12 18:52:53 (permalink)
    0
    will try by unplug the cables.
     
    in the mean time. i am also getting this error.
     
    Message meets Alert condition
    The following critical firewall event was detected: Heartbeat device interface down.
    date=2019-06-13 time=09:40:44 devname=GV_TIER2_FW02 devid=FGT3HD3916807905 logid=0108037901 type=event subtype=ha level=critical vd=root logdesc="Heartbeat device interface down" msg="Heartbeat device(interface) down" ha_role=slave hbdn_reason="neighbor-info-lost" devintfname="mgmt1"
     
     
    #7
    hubertzw
    Bronze Member
    • Total Posts : 38
    • Scores: 1
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: FG300D HA failover 2019/06/12 23:25:04 (permalink)
    0
    Can you check the status of the heartbeat link? The failover can't be triggered because from primary perspective there is no available standby. Not sure what is the status of the secondary, without heartbeat you may see split-brain, when both claim "I'm primary now". Do you have more heartbeat links or only the one which doesn't work? 
    #8
    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: FG300D HA failover 2019/06/13 03:32:23 (permalink)
    0
    You should definitively have 2 HA links. Always.
     
    Just check the HA cluster status. Only if it is OK you can initiate a failover.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #9
    kinmun
    Gold Member
    • Total Posts : 208
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/04 17:56:59
    • Status: offline
    Re: FG300D HA failover 2019/06/16 18:43:58 (permalink)
    0
    on my dashboard, both master/slave is looking okay. 
    but under systtem events, i am getting alot of errors.
     
    Message meets Alert condition
    The following critical firewall event was detected: Virtual cluster member dead.
    date=2019-06-17 time=09:30:39 devname=GV_TIER2_FW02 devid=FGT3HD3916807905 logid=0108037893 type=event subtype=ha level=critical vd=root logdesc="Virtual cluster member dead" msg="Virtual cluster detected member dead" vcluster=1 ha_group=0 sn="FGT3HDMASTER"

    Message meets Alert condition
    The following critical firewall event was detected: Heartbeat device interface down.
    date=2019-06-17 time=09:30:39 devname=GV_TIER2_FW02 devid=FGTSLAVE logid=0108037901 type=event subtype=ha level=critical vd=root logdesc="Heartbeat device interface down" msg="Heartbeat device(interface) down" ha_role=slave hbdn_reason="neighbor-info-lost" devintfname="mgmt2"
     
    Message meets Alert condition
    The following critical firewall event was detected: Virtual cluster member joined.
    date=2019-06-17 time=09:26:42 devname=GV_TIER2_FW02 devid=FGT3HD395 logid=0108037894 type=event subtype=ha level=critical vd=root logdesc="Virtual cluster member joined" msg="Virtual cluster detected member join" vcluster=1 ha_group=0 sn="FGT3HD8573"  

    Message meets Alert condition
    The following critical firewall event was detected: Virtual cluster member dead.
    date=2019-06-17 time=09:26:42 devname=GV_TIER2_FW02 devid=FGT3HD395 logid=0108037893 type=event subtype=ha level=critical vd=root logdesc="Virtual cluster member dead" msg="Virtual cluster detected member dead" vcluster=1 ha_group=0 sn="FGT3HD39163"
     
     
     
    i have open a ticket with fortinet and was told to perform HQIP test to confirm hardware issue before doin RMA.
    so i need to unplug cables from master so that it will failover to the slave unit
     
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5