Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nvisentin_FTNT
Staff
Staff

Created on ‎04-23-2015 02:35 AM

Article Id 190944

Technical Note: FortiController Active-Passive HA behavior in a single chassis

Description
This article describes how the Active-Passive HA behaves on FortiController blades in a single chassis.

HA override (set override enable) can be configured in order to modify this behavior.

Scope
High Availability.

Solution
HA override disable.

This is the default setting.

The master unit election is based on "connected interfaces" > Age > Device Priority > Serial Number. If the original master fails and comes back in the cluster, it is expected to join as a slave. However, if the age (also called HA uptime) is less than 150 seconds, it will be ignored and the election will be based on priority then Serial Number.

This can be illustrated by the following example:

Unit A : preferred master, priority 250
Unit B : preferred slave, priority 128

T = 0 sec : A and B are just booted (all interfaces are connected).  HA uptime is less than 150 sec, the election of the master is based on the priority.  A is the master; B is the slave.

T = 120 sec : one or several interfaces are disconnected on A.  B becomes the new master.

T = 160 sec : interfaces are reconnected on A.  HA uptime of B is less than 150 sec, so A becomes the master (A's priority > B's priority).

T = 300 sec : one or several interfaces are disconnected on A.  B becomes the new master.

T = 600 sec : interfaces are reconnected on A.  HA uptime of B is greater than 150 sec so B keeps the master role.

HA override enable.

With override enable, the priority takes precedence over HA uptime. Selecting override enable can cause the cluster to negotiate more often, potentially disrupting traffic.

This can be illustrated by the following example:

Unit A : preferred master, priority 250, override enable
Unit B : preferred slave, priority 128, override enable

T = 0 sec : A and B are just booted (all interfaces are connected).  The election of the master is based on the priority.  A is the master; B is the slave.

T = 120 sec : one or several interfaces are disconnected on A.  B becomes the new master.

T = 160 sec : interfaces are reconnected on A.  A becomes the master (A's priority > B's priority).

T = 300 sec : one or several interfaces are disconnected on A.  B becomes the new master.

T = 600 sec : interfaces are reconnected on A.  A becomes the master regardless of the HA uptime (A's priority > B's priority).

Troubleshooting commands.

The following command can be use to verify HA status:

FT # diag sys ha status  

Labels:
1838
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.