Deploy HA-AA mode
1) Plan the HA deployment
The condition to make sure negotiation successfully:
- All the HA devices use the same heartbeat ports and data ports.
- All the HA devices have same group-id
- All the HA devices have same node-list
- All the HA devices have different local-node-id
How the traffic-master is elected in HA-AA mode:
Override enabled:
Disk state > monitor interface > Remote IP check > priority > uptime > SN
Override disabled:
Disk state > monitor interface > Remote IP check> uptime > priority > SN
- Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
- Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
- Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
- Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
- SN means the serial number, the device with higher SN will be the master.
How the config-master is elected (This is same in 3 modes):
config-priority > SN
- Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
- SN means the serial number, the device with higher SN will be the config-master.
Some important notes:
- In HA-AA mode, every device interface has its own working IP address, it should be specified under “config ha-node-ip-list”. These config can be synced to all the HA peers. Each HA peer uses its own IP according to local-node-id.
- Each HA node should have its own local-node-id, and the local-node-id on different nodes must be different.
- In HA-AA mode, the IP address of interface is not working any longer, only the IP address under “config ha-node-ip-list” can work accordingly.
- To achieve the best performance and stable environment, you need to set up a routing device (typically router) between FortiADC and real-servers. The routing device should have the function like “reverse-route”, it means that the return packets from real-servers can be forwarded back to the original FortiADC node which distributed the traffic to the real-server. For example, if the requests from client1 were handled by FortiADC1, the FortiADC1 distributes the requests to real-server1, the return packets from real-server1 to client1 should be forwarded to FortiADC1 back by the routing device.
In this example, we’re going to make FAD1 the traffic-master and config-master, FAD2 the traffic-slave and config-slave. If you have management-interface, then you can configure it in Web-UI, otherwise, you’d better configure it from console.
FAD1:
config system ha
set mode active-active
set hbdev port6 port7
set group-id 14
set node-list 0 1
set group-name group1
set priority 3
set config-priority 40
set override enable
set l7-persistence-pickup enable
set l4-persistence-pickup enable
set l4-session-pickup enable
set monitor port2 port3 port4 port5
end
FAD2:
config system ha
set mode active-active
set hbdev port6 port7
set group-id 14
set node-list 0 1
set local-node-id 1
set group-name group1
set priority 9
set config-priority 100
set override enable
set l7-persistence-pickup enable
set l4-persistence-pickup enable
set l4-session-pickup enable
set monitor port2 port3 port4 port5
end
2) Configure the HA options
The following example shows the FAD1 configuration, the FAD2 is similar.
Navigate to “System->High Availability” page:
Configure the required options:
Configure the synchronization options
Configure the advanced options
3) Configure the necessary node-ip-list
Typically, you need to configure the IP address for the HA-AA mode. In this mode, the IP address configuration under interface directly is not working. Only the IP address under “config ha-node-ip-list” can work accordingly. In this example, for the port2, the original IP address:
config system interface
edit "port2"
set ip 159.3.200.4/16
end
This IP address 159.3.200.4 is not working. To make it work, we should do the config like this:
config system interface
edit "port2"
config ha-node-ip-list
edit 1
set ip 159.3.200.4/16
set node 0
set allowaccess https ping ssh snmp http telnet
next
edit 2
set ip 159.3.200.5/16
set node 1
set allowaccess https ping ssh snmp http telnet
next
end
next
end
Then FAD1’s port2 uses “159.3.200.4”, while FAD2’s port2 uses “159.3.200.5”.