Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Deploy HA-AA mode

1) Plan the HA deployment

The condition to make sure negotiation successfully:

  • All the HA devices use the same heartbeat ports and data ports.
  • All the HA devices have same group-id
  • All the HA devices have same node-list
  • All the HA devices have different local-node-id

How the traffic-master is elected in HA-AA mode:

Override enabled:

Disk state > monitor interface > Remote IP check > priority > uptime > SN

Override disabled:

Disk state > monitor interface > Remote IP check> uptime > priority > SN

  • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
  • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
  • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
  • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
  • SN means the serial number, the device with higher SN will be the master.

How the config-master is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
  • SN means the serial number, the device with higher SN will be the config-master.

Some important notes:

  • In HA-AA mode, every device interface has its own working IP address, it should be specified under “config ha-node-ip-list”. These config can be synced to all the HA peers. Each HA peer uses its own IP according to local-node-id.
  • Each HA node should have its own local-node-id, and the local-node-id on different nodes must be different.
  • In HA-AA mode, the IP address of interface is not working any longer, only the IP address under “config ha-node-ip-list” can work accordingly.
  • To achieve the best performance and stable environment, you need to set up a routing device (typically router) between FortiADC and real-servers. The routing device should have the function like “reverse-route”, it means that the return packets from real-servers can be forwarded back to the original FortiADC node which distributed the traffic to the real-server. For example, if the requests from client1 were handled by FortiADC1, the FortiADC1 distributes the requests to real-server1, the return packets from real-server1 to client1 should be forwarded to FortiADC1 back by the routing device.

In this example, we’re going to make FAD1 the traffic-master and config-master, FAD2 the traffic-slave and config-slave. If you have management-interface, then you can configure it in Web-UI, otherwise, you’d better configure it from console.

FAD1:

config system ha

set mode active-active

set hbdev port6 port7

set group-id 14

set node-list 0 1

set group-name group1

set priority 3

set config-priority 40

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

FAD2:

config system ha

set mode active-active

set hbdev port6 port7

set group-id 14

set node-list 0 1

set local-node-id 1

set group-name group1

set priority 9

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

2) Configure the HA options

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Configure the required options:

Configure the synchronization options

Configure the advanced options

3) Configure the necessary node-ip-list

Typically, you need to configure the IP address for the HA-AA mode. In this mode, the IP address configuration under interface directly is not working. Only the IP address under “config ha-node-ip-list” can work accordingly. In this example, for the port2, the original IP address:

config system interface

edit "port2"

set ip 159.3.200.4/16

end

This IP address 159.3.200.4 is not working. To make it work, we should do the config like this:

config system interface

edit "port2"

config ha-node-ip-list

edit 1

set ip 159.3.200.4/16

set node 0

set allowaccess https ping ssh snmp http telnet

next

edit 2

set ip 159.3.200.5/16

set node 1

set allowaccess https ping ssh snmp http telnet

next

end

next

end

Then FAD1’s port2 uses “159.3.200.4”, while FAD2’s port2 uses “159.3.200.5”.

Deploy HA-AA mode

1) Plan the HA deployment

The condition to make sure negotiation successfully:

  • All the HA devices use the same heartbeat ports and data ports.
  • All the HA devices have same group-id
  • All the HA devices have same node-list
  • All the HA devices have different local-node-id

How the traffic-master is elected in HA-AA mode:

Override enabled:

Disk state > monitor interface > Remote IP check > priority > uptime > SN

Override disabled:

Disk state > monitor interface > Remote IP check> uptime > priority > SN

  • Disk state means the harddisk working state, the device without harddisk error wins. If all the devices have disk error, then compare the next condition.
  • Monitor interface means the up monitored interfaces count, devices with more up interfaces wins, if all the devices have the same number of up interfaces, then compare the next condition.
  • Priority is the value specified in HA configuration, device with lower value wins, if all the devices have same value, then compare next condition.
  • Uptime is the uptime of the device, device with long uptime wins, if all the devices have the same uptime, then compare the next condition.
  • SN means the serial number, the device with higher SN will be the master.

How the config-master is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
  • SN means the serial number, the device with higher SN will be the config-master.

Some important notes:

  • In HA-AA mode, every device interface has its own working IP address, it should be specified under “config ha-node-ip-list”. These config can be synced to all the HA peers. Each HA peer uses its own IP according to local-node-id.
  • Each HA node should have its own local-node-id, and the local-node-id on different nodes must be different.
  • In HA-AA mode, the IP address of interface is not working any longer, only the IP address under “config ha-node-ip-list” can work accordingly.
  • To achieve the best performance and stable environment, you need to set up a routing device (typically router) between FortiADC and real-servers. The routing device should have the function like “reverse-route”, it means that the return packets from real-servers can be forwarded back to the original FortiADC node which distributed the traffic to the real-server. For example, if the requests from client1 were handled by FortiADC1, the FortiADC1 distributes the requests to real-server1, the return packets from real-server1 to client1 should be forwarded to FortiADC1 back by the routing device.

In this example, we’re going to make FAD1 the traffic-master and config-master, FAD2 the traffic-slave and config-slave. If you have management-interface, then you can configure it in Web-UI, otherwise, you’d better configure it from console.

FAD1:

config system ha

set mode active-active

set hbdev port6 port7

set group-id 14

set node-list 0 1

set group-name group1

set priority 3

set config-priority 40

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

FAD2:

config system ha

set mode active-active

set hbdev port6 port7

set group-id 14

set node-list 0 1

set local-node-id 1

set group-name group1

set priority 9

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

set monitor port2 port3 port4 port5

end

2) Configure the HA options

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Configure the required options:

Configure the synchronization options

Configure the advanced options

3) Configure the necessary node-ip-list

Typically, you need to configure the IP address for the HA-AA mode. In this mode, the IP address configuration under interface directly is not working. Only the IP address under “config ha-node-ip-list” can work accordingly. In this example, for the port2, the original IP address:

config system interface

edit "port2"

set ip 159.3.200.4/16

end

This IP address 159.3.200.4 is not working. To make it work, we should do the config like this:

config system interface

edit "port2"

config ha-node-ip-list

edit 1

set ip 159.3.200.4/16

set node 0

set allowaccess https ping ssh snmp http telnet

next

edit 2

set ip 159.3.200.5/16

set node 1

set allowaccess https ping ssh snmp http telnet

next

end

next

end

Then FAD1’s port2 uses “159.3.200.4”, while FAD2’s port2 uses “159.3.200.5”.