Troubleshooting HA clusters

Troubleshooting HA clusters

This section describes some HA clustering troubleshooting techniques.

 

Ignoring hardware revisions

Some FortiGate platforms have gone through multiple hardware versions. In some cases the hardware changes between versions have meant that by default you cannot form a cluster if the FortiGate units in the cluster have different hardware versions. If you run into this problem you can use the following command on each FortiGate unit to cause the cluster to ignore different hardware versions:

execute ha ignore-hardware-revision {disable | enable | status}

This command is only available on FortiGate units that have had multiple hardware revisions. By default the command is set to prevent FortiOS from forming clusters between FortiGate units with different hardware revisions. You can enable this command to be able to create a cluster consisting of FortiGate units with different hardware revisions. Use the status option to verify the whether ignoring hardware revisions is enabled or disabled.

Affected models include but are not limited to:

  • FortiGate-100D l  FortiGate-300C l  FortiGate-600C
  • FortiGate-800C
  • FortiGate-80C and FortiWiFi-80C
  • FortiGate-60C

 

Before you set up a cluster

Before you set up a cluster ask yourself the following questions about the FortiGate units that you are planning to use to create a cluster.

1. Do all the FortiGate units have the same hardware configuration? Including the same hard disk configuration and the same AMC cards installed in the same slots?

2. Do all FortiGate units have the same firmware build?

3. Are all FortiGate units set to the same operating mode (NAT or Transparent)?

4. Are all the FortiGate units operating in single VDOM mode?

5. If the FortiGate units are operating in multiple VDOM mode do they all have the same VDOM configuration?

In some cases you may be able to form a cluster if different FortiGate units have dif- ferent firmware builds, different VDOM configurations, and are in different operating modes. However, if you encounter problems they may be resolved by installing the same firmware build on each unit, and give them the same VDOM configuration and operating mode.

 

Troubleshooting the initial cluster configuration

This section describes how to check a cluster when it first starts up to make sure that it is configured and operating correctly. This section assumes you have already configured your HA cluster.

 

To verify that a cluster can process traffic and react to a failure

1. Add a basic security policy configuration and send network traffic through the cluster to confirm connectivity.

For example, if the cluster is installed between the Internet and an internal network, set up a basic internal to external security policy that accepts all traffic. Then from a PC on the internal network, browse to a website on the Internet or ping a server on the Internet to confirm connectivity.

2. From your management PC, set ping to continuously ping the cluster, and then start a large download, or in some other way establish ongoing traffic through the cluster.

3. While traffic is going through the cluster, disconnect the power from one of the cluster units.

You could also shut down or restart a cluster unit. Traffic should continue with minimal interruption.

4. Start up the cluster unit that you disconnected.

The unit should re-join the cluster with little or no affect on traffic.

5. Disconnect a cable for one of the HA heartbeat interfaces.

The cluster should keep functioning, using the other HA heartbeat interface.

6. If you have port monitoring enabled, disconnect a network cable from a monitored interface.

Traffic should continue with minimal interruption.

 

 

To verify the cluster configuration – web-based manager

1. Log into the cluster web-based manager.

2. Check the system dashboard to verify that the System Information widget displays all of the cluster units.

3. Check the cluster member graphic to verify that the correct cluster unit interfaces are connected.

4. Go to System > HA and verify that all of the cluster units are displayed on the cluster members list.

5. From the cluster members list, edit the primary unit (master) and verify the cluster configuration is as expected.

 

To troubleshoot the cluster configuration – web-based manager

1. Connect to each cluster unit web-based manager and verify that the HA configurations are the same.

2. To connect to each web-based manager, you may need to disconnect some units from the network to connect to the other if the units have the same IP address.

3. If the configurations are the same, try re-entering the cluster Password on each cluster unit in case you made an error typing the password when configuring one of the cluster units.

4. Check that the correct interfaces of each cluster unit are connected.

Check the cables and interface LEDs.

Use the Unit Operation dashboard widget, system network interface list, or cluster members list to verify that each interface that should be connected actually is connected.

If Link is down re-verify the physical connection. Try replacing network cables or switches as required.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.