1+1 fast failover between FortiGate WiFi controllers

1+1 fast failover between FortiGate WiFi controllers

The following shows a simple network topology for this recipe. The primary and secondary FortiGates should reach the FortiAP at the physical level:

The following takes place in the event of a failover:

  1. The primary FortiGate syncs the wireless configuration to the secondary FortiGate.
  2. If the primary FortiGate fails, the secondary FortiGate takes over management of the FortiAP. The client can still connect with the SSID from the FortiAP and pass traffic.
  3. When the primary FortiGate is back online, it returns to managing the FortiAP.

In the CLI samples below, the primary FortiGate has an IP address of 10.43.1.80, while the secondary FortiGate has an IP address of 10.43.1.62.

To configure the primary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 config inter-controller-peer edit 1 set peer-ip 10.43.1.62 set peer-priority secondary

next

end

To configure the secondary FortiGate:

config wireless-controller inter-controller set inter-controller mode 1+1 set inter-controller key 123456 set inter-controller-pri secondary config inter-controller-peer edit 1 set peer-ip 10.43.1.80

next

end

To run diagnose commands:

  1. On the primary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following:

WC fast failover info cfg iter: 1 (age=17995, size=220729, fp=0x5477e28) dhcpd_db iter: 123 (age=132, size=1163, fp=0x5435930) dhcpd_ipmac iter: 123 (age=132, size=2860, fp=0x587d848) mode: 1+1-ffo pri: primary

key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

  1. On the secondary FortiGate, run the diag wireless-controller wlac -c ha The output should resemble the following: WC fast failover info mode: 1+1-ffo status: monitoring pri: secondary key csum: 0x9c99 max: 10 wait: 10 peer cnt: 1

FWF60E4Q16027198: 10.43.1.62:5245 secondary UP (age=0)

This entry was posted in Administration Guides, FortiAP, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “1+1 fast failover between FortiGate WiFi controllers

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.