FW1 and FW2 HA A-A SW INFO: -VM 6.2.2 Trial License on Eve-NG Community Nov 2019 FW1 & FW2: Because HA then FW2 Slave has the same ip config as FW1 Master config system interface edit "port1" set vdom "root" set ip 10.0.1.11 255.255.255.0 set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response capwap set type physical set description "WAN1" set snmp-index 1 next edit "port2" set vdom "root" set ip 10.0.2.2 255.255.255.0 set allowaccess ping set type physical set description "WAN2" set snmp-index 2 next edit "port3" set vdom "root" set ip 10.0.3.1 255.255.255.0 set allowaccess ping set type physical set description "DMZ" set snmp-index 3 next edit "port4" set vdom "root" set ip 10.0.4.1 255.255.255.0 set allowaccess ping ssh http fgfm set type physical set description "LAN1" set snmp-index 4 next edit "port5" set type physical set description "HEARTBEAT" set snmp-index 5 end config system ha set group-name "HA" set mode a-a set password password set hbdev "port5" 0 set session-pickup enable set override disable set monitor "port1" set load-balance-all enable end
config system link-monitor edit "1" set srcintf "port1" set server "8.8.8.8" set gateway-ip 10.0.1.2 set failtime 2 next end
FW1 # get system ha status HA Health Status: OK Model: FortiGate-VM64-KVM Mode: HA A-A Master: FW1 , FGVMEVOZCSOR5P1B, HA cluster index = 0 Slave : FW2 , FGVMEVNROOBQ8U57, HA cluster index = 1 PROBLEM1: -link from FW1 port1 to Switch G0/1 shutdown RESULT: ping from PC1 to 8.8.8.8 down master not failover from FW1 PROBLEM2: -link from FW1 port to Switch G0/1 up -FW1 port1 status down RESULT: ping from PC1 to 8.8.8.8 down master not failover from FW1 QUESTIONS:
[ol]UPDATE1: -if link from master to internet down, all traffic from both FW1 and FW2 down it seems link or port monitoring not working at all
I make it working after change a bit This part is important set pingserver-flip-timeout 6
config system ha set group-id 10 set group-name HA set mode a-a set password admin set hbdev port6 0 set session-pickup enable set link-failed-signal enable set override disable set monitor port1 set pingserver-monitor-interface port1 set pingserver-flip-timeout 6 set load-balance-all enable end config system link-monitor edit “1" set srcintf “port1" set server “8.8.8.8" next end
I think this
set pingserver-monitor-interface port1is the important setting. You've set up a ping-server but in the default config the server port is not set. "monitor-interface" only checks for link status which (in a switch environment) usually is insufficient for monitoring.
set pingserver-flip-timeout 6prevents the cluster from flapping, i.e., failing over too quickly. It improves cluster stability.
Hi ede,
I am not clear on "default config the server port is not set"
My goal only check whether the link to ISP is on or off
If off then failover I didn't set monitoring toward internal.
I set "pingserver-flip-timeout 6" because sometime if ISP link down, it didn't failover.
That's why I set to 6 minutes. by default is 2 hours.
6 minutes is the smallest possible
ede_pfau wrote:I think this
set pingserver-monitor-interface port1is the important setting. You've set up a ping-server but in the default config the server port is not set. "monitor-interface" only checks for link status which (in a switch environment) usually is insufficient for monitoring.
set pingserver-flip-timeout 6prevents the cluster from flapping, i.e., failing over too quickly. It improves cluster stability.
pingserver-flip-timeout 6
What I commented on is:
- you first set up a pingserver with "config sys link-monitor"
- then, in "config sys ha", you specify which port to observe for remote target monitoring with "set pingserver-monitor-interface". This is the setting which is crucial for using a pingserver.
And by default no port is specified - you have to do that explicitly.
- the setting "config sys ha / set pingserver-flip-timeout" helps to accelerate a fall-back after a remote pingserver failed and the cluster failed over. But it is not essential.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.