FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 192119
Description
This article describes why HA between two FortiGates-3400E/3401E does not work.

Scope
For version 6.2.3.

Solution
When using FortiOS 6.2.3 and configuring Heartbeat interfaces as HA1 and HA2 on FortiGate-3400E/3401E, the HA sync may not work, and units might not be able to form HA.

## HA config ##
# config system ha
    set group-id 21
    set group-name "group-1"
    set mode a-p
    set password ENC xx
    set hbdev "ha1" 10 "ha2" 0
    set encryption enable
    set authentication enable
    set session-pickup enable
    set session-pickup-connectionless enable
    set ha-mgmt-status enable
# config ha-mgmt-interfaces
    edit 1
        set interface "mgmt1"
        set gateway 172.10.10.12
    next
end
    set override disable
    set priority 250
    set ha-direct enable
end
Enable HA debugs to check this further.
# diag debug reset
# diag debug application hasync -1
# diag debug application hatalk -1
# diag debug enable
In the debugs, the following errors would be seen:
<hasync:WARN> conn=0x1c14fd20 dst=169.254.0.1 sync_type=3(fib) expired/now/timeo=1143336/1143337/5 flag =0x0 buf_cnt=1 retries=0 state=1 cur_w_pos=0 cur_r_pos=0
<hasync:WARN> conn=0x1c14fd20 abort: rt=-2, dst=169.254.0.1, sync_type=3(fib)
<hasync:WARN> Error = Network is unreachable
<hasync:WARN> [toconnect_timer_func:651] conn=0x1c14fd20 to-connect timeout, dst=169.254.0.1
<hasync:WARN> [toconnect_timer_func:651] conn=0x1c14d5e0 to-connect timeout, dst=169.254.0.1
<hasync:WARN> [ha_udp_write_all] sendto(169.254.0.63) faild: 101(Network is unreachable). sync_type=21, buffer_len=29
Solution.
This is known issues 588908 for FortiGate-3400E/3401E when using FortiOS version 6.2.3. HA interfaces when used as hbdev causes this issue.

This could be found listed in release notes of FortiOS 6.2.3 as a known issue.
https://docs.fortinet.com/document/fortigate/6.2.3/fortios-release-notes/236526/known-issues

In order to fix this issue, two solutions can be used:

1) Avoid using the HA1 and HA2 interface as hbdev in the HA config.

2) The issue has been resolved in FortiOS 6.2.4 and upgrade to this version will solve the issue.
https://docs.fortinet.com/document/fortigate/6.2.4/fortios-release-notes/289806/resolved-issues

Contributors