Hot!HA cluster A/P WAN failover

Author
scerazy
Gold Member
  • Total Posts : 193
  • Scores: 2
  • Reward points: 0
  • Joined: 2009/12/22 14:09:01
  • Status: offline
2020/10/14 10:55:21 (permalink)
0

HA cluster A/P WAN failover

2x 300E in HA cluster with BGP, dedicated direct fibre for HA Heartbeat between units, each unit with WAN (active/passive provided by same ISP)
 
What do I need to configure for the WAN failover to work?
 
For now I want to tackle the WAN itself, if primary unit's active WAN link fails, how do I get all traffic routed to secondary's unit WAN ?
 
Seb
#1

5 Replies Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: HA cluster A/P WAN failover 2020/10/14 12:41:13 (permalink)
    0
    If you have two different WAN connections (you mentioned different routing) then you need twice that number of physical connections to the firewall (put a $20 dumb switch in between).  So WAN from ISP1 (or since same ISP, let's say connections A and B) goes to wan1 and connection B/ISP2 goes to wan2 on EACH firewall.  Anything else does not work with HA cluster.  Connectivity on the firewalls should always be identical, and each WAN connection should be monitored as a condition for failover.
    #2
    scerazy
    Gold Member
    • Total Posts : 193
    • Scores: 2
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: HA cluster A/P WAN failover 2020/10/14 13:25:26 (permalink)
    0
    I do have a VSF stack of 2 switches (not that cheap) between each Fortigate and each ISP router
    FTG1 -> switch stack - ISP router 1
    FTG2 -> switch stack - ISP router 2
     
    In normal condition FTG1 is primary, ISP router 1 is active & default
     
    I can monitor active connection, but I see no way to monitor passive connection
     
     
     
     
    #3
    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: HA cluster A/P WAN failover 2020/10/15 04:11:32 (permalink)
    0
    As I said, you need to double your connections so the connectivity is the SAME on both FortiGates.  You need it to look like this instead:
     
    FTG1, wan1 -> switch stack - VLAN for ISP router 1
    FTG2, wan1 -> switch stack - VLAN for ISP router 1
    FTG1, wan2 -> switch stack - VLAN for ISP router 2
    FTG2, wan2 -> switch stack - VLAN for ISP router 2
     
    You obviously don't need to double the connections going to the ISP router (probably can't) which is why I said VLAN for....  Basically you have one port on your switch to the ISP router 1 and then 2 ports to the 2 FGTs.  Same thing with ISP router 2.  6 ports on your switch, in total.
    #4
    scerazy
    Gold Member
    • Total Posts : 193
    • Scores: 2
    • Reward points: 0
    • Joined: 2009/12/22 14:09:01
    • Status: offline
    Re: HA cluster A/P WAN failover 2020/10/15 05:09:55 (permalink)
    0
    OK, so the dual connectivity from each FTG would be for a purpose of only WAN link failing, not the actual any FTG unit failing itself (because HA cluster can be quite happy itself), right?
     
    Seb
    #5
    lobstercreed
    Platinum Member
    • Total Posts : 320
    • Scores: 37
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: HA cluster A/P WAN failover 2020/10/15 08:45:20 (permalink)
    0
    I'm not quite sure what you're asking.  I assume that's why you have two WAN connections, yes, in case one of them fails.  And the reason you have two FGTs is in case one of *them* fails.  Since you have both, you could now have 1 of each fail and still have no impact to service.  Anytime you throw HA firewalls in place you need to make sure each one has the same connectivity to all networks or it's not really HA and it won't work.
     
    Now you'll need to consider the impact of the failure of one of your VSF switches as well, or that becomes a single point of failure.  Most likely you'd do 1 WAN to each switch and then make both connections (to FGT1 and FGT2) from that same switch.  So the WAN connected to each switch becomes reliant on that switch, and if say switch A fails at the same time that WAN B fails, you're SOL because working WAN A can't talk to either FGT although both FGTs can talk to broken WAN B.  There's always some combination that can break things, but you can think through the different scenarios and consider what's more likely under your circumstances (unreliable ISP, old gear, etc).
     
    Hope that helps!  - Daniel
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5