Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
modgod
New Contributor

HA A-P Cluster causing Loopback

Hi Guys and Gals,

 

Having some difficulty working out what best practices are for multiple switches in a HA A-P cluster.

 

At site 1 we have the following setup

 

https://imgur.com/bC2kNsT

 

At site 2 we have the following setup.

 

When I change site 1 to match site 2 we get a broadcast storm and another strange issue where the switch ports on the secondary fortigate start giving DHCP/internet access, needless to say things didnt work and we reverted to the original topology.

 

The only difference is STP is turned on in the hardware switch settings for the fortigate other than that everything else is the same. I've checked and I dont see a loop anywhere in the rack or on the floors. Why is this config that works at one site not working at another?

 

What is the best practice for an A-P cluster, if I have the switches connected like site 1 will clients connected to both switches retain network and internet access if the secondary fortigate takes over?

9 REPLIES 9
orani
Contributor II

Site 1 images does not show up

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
modgod
New Contributor

click on the link please, I could not get it to display in the thread.

KPS
New Contributor III

Hi!

 

Did you configure the links to the switches on each FG as A/P-Bond, or did you just switch them?

modgod
New Contributor

the links to the swithes on each fortigate are just standard ports that are part of the hardware switch on the interfaces page.

 

how do I AP bond them, are you referring to a creating a redundant interface.

 

 

Markus
Valued Contributor

Hi In short, yes the secondary will take over, depending on the confgured monitors.

 

Best practices in A-P isn't to crosscabling the Fortigates.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-high-availability-52/HA_failover...

 

 

 


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
KPS
New Contributor III

Hi!

 

I would always prefer redundant cabeling. Using a failover-bond is easy and does not force a failover in case of a switch-reboot...

modgod
New Contributor

could you give a diagram of this redundant cabling, when I cable things as per the fortinet diagram I get a loopback?

 

modgod
New Contributor

Bump, been trying to get this question answered on and off for a year now, every time I pose the question, fortinet forums, reddit fortinet or elsewhere I get a flurry of b advice then silence.   Surely this cant be that complicated?
modgod
New Contributor

Thanks for the diagram, can you explain the purpose of the third switch on the LAN side closest to the host machines.

 

So shuld I be putting a small switch in between each fortigate and our main LAN switch, how do I connect a second lan switch in this case?

 

I need two switches here as we have more than 48 patch ports to link up.

 

Labels
Top Kudoed Authors