Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nbctcp
New Contributor III

Created on ‎12-18-2019 03:29 PM

HA A-A link not failover

  FW1 and FW2 HA A-A   SW INFO: -VM 6.2.2 Trial License on Eve-NG Community Nov 2019   FW1 & FW2: Because HA then FW2 Slave has the same ip config as FW1 Master config system interface     edit "port1"         set vdom "root"         set ip 10.0.1.11 255.255.255.0         set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap         set type physical         set description "WAN1"         set snmp-index 1     next     edit "port2"         set vdom "root"         set ip 10.0.2.2 255.255.255.0         set allowaccess ping         set type physical         set description "WAN2"         set snmp-index 2     next     edit "port3"         set vdom "root"         set ip 10.0.3.1 255.255.255.0         set allowaccess ping         set type physical         set description "DMZ"         set snmp-index 3     next     edit "port4"         set vdom "root"         set ip 10.0.4.1 255.255.255.0         set allowaccess ping ssh http fgfm         set type physical         set description "LAN1"         set snmp-index 4     next     edit "port5"         set type physical         set description "HEARTBEAT"         set snmp-index 5 end config system ha     set group-name "HA"     set mode a-a     set password password     set hbdev "port5" 0     set session-pickup enable     set override disable     set monitor "port1"     set load-balance-all enable end

config system link-monitor edit "1" set srcintf "port1" set server "8.8.8.8" set gateway-ip 10.0.1.2 set failtime 2 next end

  FW1 # get system ha status HA Health Status: OK Model: FortiGate-VM64-KVM Mode: HA A-A Master: FW1             , FGVMEVOZCSOR5P1B, HA cluster index = 0 Slave : FW2             , FGVMEVNROOBQ8U57, HA cluster index = 1   PROBLEM1: -link from FW1 port1 to Switch G0/1 shutdown RESULT:  ping from PC1 to 8.8.8.8 down master not failover from FW1   PROBLEM2: -link from FW1 port to Switch G0/1 up -FW1 port1 status down RESULT: ping from PC1 to 8.8.8.8 down master not failover from FW1   QUESTIONS:

[ol]
  • what do I miss there[/ol]

    UPDATE1: -if link from master to internet down, all traffic from both FW1 and FW2 down it seems link or port monitoring not working at all

    • http://goo.gl/lhQjmU
    http://nbctcp.wordpress.com

     

    http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
    Preview file
    24 KB
    3495
    0 Kudos
    4 REPLIES 4
    nbctcp
    New Contributor III

    Created on ‎01-08-2020 01:23 AM

    I make it working after change a bit This part is important set pingserver-flip-timeout 6

    config system ha set group-id 10 set group-name HA set mode a-a set password admin set hbdev port6 0 set session-pickup enable set link-failed-signal enable set override disable set monitor port1 set pingserver-monitor-interface port1 set pingserver-flip-timeout 6 set load-balance-all enable end config system link-monitor edit “1" set srcintf “port1" set server “8.8.8.8" next end

    http://goo.gl/lhQjmU
    http://nbctcp.wordpress.com

     

    http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
    2151
    0 Kudos
    ede_pfau
    SuperUser
    SuperUser
    In response to nbctcp

    Created on ‎01-08-2020 02:11 AM

    I think this

    set pingserver-monitor-interface port1
    is the important setting. You've set up a ping-server but in the default config the server port is not set. "monitor-interface" only checks for link status which (in a switch environment) usually is insufficient for monitoring.

     

    set pingserver-flip-timeout 6
    prevents the cluster from flapping, i.e., failing over too quickly. It improves cluster stability.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    2173
    0 Kudos
    nbctcp
    New Contributor III
    In response to ede_pfau

    Created on ‎01-10-2020 01:38 AM

    Hi ede,

    I am not clear on "default config the server port is not set"

    My goal only check whether the link to ISP is on or off

    If off then failover I didn't set monitoring toward internal.

     

    I set "pingserver-flip-timeout 6" because sometime if ISP link down, it didn't failover.

    That's why I set to 6 minutes. by default is 2 hours.

    6 minutes is the smallest possible

     

    ede_pfau wrote:

    I think this

    set pingserver-monitor-interface port1
    is the important setting. You've set up a ping-server but in the default config the server port is not set. "monitor-interface" only checks for link status which (in a switch environment) usually is insufficient for monitoring.

     

    set pingserver-flip-timeout 6
    prevents the cluster from flapping, i.e., failing over too quickly. It improves cluster stability.

    pingserver-flip-timeout 6

    http://goo.gl/lhQjmU
    http://nbctcp.wordpress.com

     

    http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
    2173
    0 Kudos
    ede_pfau
    SuperUser
    SuperUser
    In response to nbctcp

    Created on ‎01-10-2020 11:15 AM

    What I commented on is:

    - you first set up a pingserver with "config sys link-monitor"

    - then, in "config sys ha", you specify which port to observe for remote target monitoring with "set pingserver-monitor-interface". This is the setting which is crucial for using a pingserver.

    And by default no port is specified - you have to do that explicitly.

     

    - the setting "config sys ha / set pingserver-flip-timeout" helps to accelerate a fall-back after a remote pingserver failed and the cluster failed over. But it is not essential.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    2151
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.