Hot!HA A-P Cluster causing Loopback

Author
modgod
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/07/23 04:14:56
  • Status: offline
2019/08/21 19:32:23 (permalink)
0

HA A-P Cluster causing Loopback

Hi Guys and Gals,
 
Having some difficulty working out what best practices are for multiple switches in a HA A-P cluster.
 
At site 1 we have the following setup
 
https://imgur.com/bC2kNsT
 
At site 2 we have the following setup.

 
When I change site 1 to match site 2 we get a broadcast storm and another strange issue where the switch ports on the secondary fortigate start giving DHCP/internet access, needless to say things didnt work and we reverted to the original topology.
 
The only difference is STP is turned on in the hardware switch settings for the fortigate other than that everything else is the same. I've checked and I dont see a loop anywhere in the rack or on the floors. Why is this config that works at one site not working at another?
 
What is the best practice for an A-P cluster, if I have the switches connected like site 1 will clients connected to both switches retain network and internet access if the secondary fortigate takes over?
post edited by modgod - 2019/08/21 19:47:33
#1

9 Replies Related Threads

    orani
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2019/07/11 12:54:18
    • Location: Athens
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/21 21:24:58 (permalink)
    0
    Site 1 images does not show up
    #2
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: HA A-P Cluster causing Loopback 2019/08/21 23:41:37 (permalink)
    0
    Hi!
     
    Did you configure the links to the switches on each FG as A/P-Bond, or did you just switch them?
    #3
    Markus
    Gold Member
    • Total Posts : 196
    • Scores: 24
    • Reward points: 0
    • Joined: 2015/03/19 07:30:23
    • Location: Switzerland
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/21 23:52:39 (permalink)
    0
    Hi
    In short, yes the secondary will take over, depending on the confgured monitors.
     
    Best practices in A-P isn't to crosscabling the Fortigates.
     
    https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-high-availability-52/HA_failover.htm
     
     
     

    Attached Image(s)

    #4
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: HA A-P Cluster causing Loopback 2019/08/21 23:56:22 (permalink)
    0
    Hi!
     
    I would always prefer redundant cabeling. Using a failover-bond is easy and does not force a failover in case of a switch-reboot...
    #5
    modgod
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/23 04:14:56
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/22 02:13:20 (permalink)
    0
    click on the link please, I could not get it to display in the thread.
    #6
    modgod
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/23 04:14:56
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/22 02:15:08 (permalink)
    0
    the links to the swithes on each fortigate are just standard ports that are part of the hardware switch on the interfaces page.
     
    how do I AP bond them, are you referring to a creating a redundant interface.
     
     
    #7
    modgod
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/23 04:14:56
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/22 02:19:15 (permalink)
    0
    Thanks for the diagram, can you explain the purpose of the third switch on the LAN side closest to the host machines.
     
    So shuld I be putting a small switch in between each fortigate and our main LAN switch, how do I connect a second lan switch in this case?
     
    I need two switches here as we have more than 48 patch ports to link up.
     
    #8
    modgod
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/23 04:14:56
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/22 03:35:02 (permalink)
    0
    could you give a diagram of this redundant cabling, when I cable things as per the fortinet diagram I get a loopback?
     
    #9
    modgod
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/23 04:14:56
    • Status: offline
    Re: HA A-P Cluster causing Loopback 2019/08/23 01:09:58 (permalink)
    0
    Bump, been trying to get this question answered on and off for a year now, every time I pose the question, fortinet forums, reddit fortinet or elsewhere I get a flurry of b advice then silence.

     

    Surely this cant be that complicated?
    post edited by modgod - 2019/08/23 01:11:42
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5