Deploy HA-AP mode
1) Enable the management-interface
It is recommended that the management-interface should be enabled when the HA-AP mode is deployed. Because once you complete the HA-AP mode, only master can handle the traffic, it means that you’re not able to access slave device directly. It is not convenient in most cases. Management-interface on the other hand, is a virtual-interface binding to the physical interface. It can always work on all the modes including standalone. Please perform the following steps on all the HA nodes.
Steps
- Get the console control for FortiADC, execute the next steps in the console.
- Since the manage-interface is a virtual-interface inside the system, so it has the similar routing mechanism as other interface. So there should be no overlapping subnet in the system. Therefore, usually we clear the original IP address of the physical interface. This can result in the losing the connectivity, so the first step is requiring the console.
- Configure the management-interface
- Configure the default route accordingly
FAD2 # config system interface
FAD2 (interface) # edit port1
FAD2 (port1) # unset ip
FAD2 (port1) # end
FAD2 # config system ha
FAD2 (ha) # set mgmt-status enable
FAD2 (ha) # set mgmt-interface port1
FAD2 (ha) # set mgmt-ip 10.106.188.42/23
FAD2 (ha) # set mgmt-ip-allowaccess http https ping snmp ssh telnet
FAD2 (ha) # end
FAD2 # config router static
FAD2 (static) # edit 1
FAD2 (1) # set gateway 10.106.189.254
FAD2 (1) # end
Note: On the virtualization platform such as VMware ESXi, KVM, Hyper-V and so on. The VM interface which you are going to bind the management-interface should enable the Promiscuous mode. This mode has different name on different platform, for example it is called “MAC address spoofing” on Hyper-V platform.
2) Configure the HA-AP mode on both sides
Once you completed the management-interface, then you can perform the following steps on Web-UI.
Steps
- Plan the HA role for the devices
There are two types of HA roles you have to plan, one is the traffic-role, the other is the config-role. Technically, you can configure the traffic-master and config-master on different devices. Only the traffic-master can handle the traffic, and the full configuration sync can be only from the config-master to others. (Incremental configuration sync can happen from any side.).
Typically, the traffic-master and config-master are the same one. Here is the example to configure the traffic-master and config-master on the same device with override enabled.
The condition to make sure negotiation successfully:
- All the HA devices use the same heartbeat ports and data ports.
- All the HA devices have same group-id
How the traffic-master is elected in HA-AP mode:
Override enabled:
Disk state > monitor interface > priority > uptime > SN
Override disabled:
Disk state > monitor interface > uptime > priority > SN
- Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
- Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
- Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
- Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
- SN means the serial number, the device with higher SN will be the master.
How the config-master is elected (This is same in 3 modes):
config-priority > SN
- Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
- SN means the serial number, the device with higher SN will be the config-master.
Here we set up 2 HA devices running HA-AP mode, make FAD1 the master, and the FAD2 the slave. We put config example like following.
FAD1:
config system ha
set mode active-passive
set hbdev port6 port7
set group-id 14
set group-name group1
set priority 1
set config-priority 10
set override enable
set l7-persistence-pickup enable
set l4-persistence-pickup enable
set l4-session-pickup enable
set monitor port2 port3 port4 port5
end
FAD2:
config system ha
set mode active-passive
set hbdev port6 port7
set group-id 14
set group-name group1
set priority 9
set config-priority 100
set override enable
set l7-persistence-pickup enable
set l4-persistence-pickup enable
set l4-session-pickup enable
set monitor port2 port3 port4 port5
end
There are some preconditions for the HA negotiation:
- The hostname of HA nodes must NOT be same
- The group-id of HA nodes must be same
- The heartbeat interfaces should be connected directly or in the same VLAN
- On some virtualization platforms like Hyper-V, the heartbeat interface should enable the “Mac address spoofing”.
The following example shows the FAD1 configuration, the FAD2 is similar.
Navigate to “System->High Availability” page:
Configure the required options:
Configure the synchronization options
Configure the advanced options