Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

Deploy HA-VRRP mode

1) Plan the HA deployment

The condition to make sure negotiation successfully:

  • All the HA devices use the same heartbeat ports and data ports.
  • All the HA devices have same group-id
  • All the HA devices have different local-node-id

How the traffic-group-master is elected in HA-VRRP mode (Master and slave is elected by traffic-groups):

Preempt enabled:

work state > failover-order > uptime

Preempt disabled:

work state > uptime > failover-order

  • Currently, the work state is only impacted by the remote-ip check, if the device contains remote-ip check down, then it deems as down for work state, if one device contains down, while the other doesn’t contain, then the one doesn’t contain wins. If all the devices contain remote-ip check down, then compare the next condition.
  • Failover-order is the option of HA configs. It specifies the alternative device failover order by local-node-id.
  • Uptime is the HA device uptime, the more the better.

How the config-master is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
  • SN means the serial number, the device with higher SN will be the config-master.

Before we get started to set up the HA-VRRP mode, we have to divide the real-servers into groups, typically the real-servers should be divided into 2 groups. In this example, the two groups are VRRP_Group1 and VRRP_Group2.

Please refer to the chart above; we will make two virtual-servers: VS1, VS2. VS1 belongs to VRRP_Group1, VS2 belongs to VRRP_Group2. The real-server1 and real-server2 belong to VS1, real-server3 and real-server4 belong to VS2. Then all the traffic to VS1 will be handled by FAD1, all the traffic to VS2 will be handled by FAD2. If one of the FortiADC is failing, the other device will take over the traffic. Port2 belongs to VRRP_Group1, port3 belongs to VRRP_Group2.

In this example, we are going to make the HA VRRP config like:

FAD1:

config system ha

set mode active-active-vrrp

set hbdev port4 port5

set group-id 15

set local-node-id 0

set group-name grp2

set config-priority 20

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

end

FAD2:

config system ha

set mode active-active-vrrp

set hbdev port4 port5

set group-id 15

set local-node-id 1

set group-name grp2

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

end

2) Configure the HA VRRP basic options

In this example, we are going to make FAD1 the config-master, FAD2 the config-slave. In VRRP mode, each interface has its own IP address, so you can configure the HA-VRRP basic from Web-UI.

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Edit the HA node:

3) Configure the needed VRRP groups

Once the two devices established the HA VRRP relationship, then the configuration changes happening on any HA nodes can be synced to the other nodes. So in this example, you can just create the VRRP groups on one of the nodes. Here we put FAD1:

Navigate to System->Traffic Group, add new member

The equivalent configuration:

config system traffic-group

edit "VRRP_Group1"

set failover-order 0 1

set preempt enable

next

edit "VRRP_Group2"

set failover-order 1 0

set preempt enable

next

end

4) Assign interface, virtual-server and other resources to the VRRP group

By default, all the interfaces, virtual-servers and other resources are in the traffic-group “default”. We recommend assign the resources to the custom traffic-group.

Navigate to Networking->Interface, edit the interface:

Remember, the floatin-ip only works on the traffic-group master. In this example, the port2 belongs to VRRP_Group1, and FAD1 is currently the master of VRRP_Group1, so “159.9.200.200” is only working on FAD1 currently. If FAD1 is failing, then FAD2 will take over the master of VRRP_Group1, then the “159.9.200.200” will work on FAD2.

Navigate to Server Load Balance->Virtual Server, edit the interface, set the VS1 to VRRP_Group1, VS2 to VRRP_Group2.

Deploy HA-VRRP mode

1) Plan the HA deployment

The condition to make sure negotiation successfully:

  • All the HA devices use the same heartbeat ports and data ports.
  • All the HA devices have same group-id
  • All the HA devices have different local-node-id

How the traffic-group-master is elected in HA-VRRP mode (Master and slave is elected by traffic-groups):

Preempt enabled:

work state > failover-order > uptime

Preempt disabled:

work state > uptime > failover-order

  • Currently, the work state is only impacted by the remote-ip check, if the device contains remote-ip check down, then it deems as down for work state, if one device contains down, while the other doesn’t contain, then the one doesn’t contain wins. If all the devices contain remote-ip check down, then compare the next condition.
  • Failover-order is the option of HA configs. It specifies the alternative device failover order by local-node-id.
  • Uptime is the HA device uptime, the more the better.

How the config-master is elected (This is same in 3 modes):

config-priority > SN

  • Config-priority is the value specified in HA config, the device with lower config-priority value will be the config-master.
  • SN means the serial number, the device with higher SN will be the config-master.

Before we get started to set up the HA-VRRP mode, we have to divide the real-servers into groups, typically the real-servers should be divided into 2 groups. In this example, the two groups are VRRP_Group1 and VRRP_Group2.

Please refer to the chart above; we will make two virtual-servers: VS1, VS2. VS1 belongs to VRRP_Group1, VS2 belongs to VRRP_Group2. The real-server1 and real-server2 belong to VS1, real-server3 and real-server4 belong to VS2. Then all the traffic to VS1 will be handled by FAD1, all the traffic to VS2 will be handled by FAD2. If one of the FortiADC is failing, the other device will take over the traffic. Port2 belongs to VRRP_Group1, port3 belongs to VRRP_Group2.

In this example, we are going to make the HA VRRP config like:

FAD1:

config system ha

set mode active-active-vrrp

set hbdev port4 port5

set group-id 15

set local-node-id 0

set group-name grp2

set config-priority 20

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

end

FAD2:

config system ha

set mode active-active-vrrp

set hbdev port4 port5

set group-id 15

set local-node-id 1

set group-name grp2

set config-priority 100

set override enable

set l7-persistence-pickup enable

set l4-persistence-pickup enable

set l4-session-pickup enable

end

2) Configure the HA VRRP basic options

In this example, we are going to make FAD1 the config-master, FAD2 the config-slave. In VRRP mode, each interface has its own IP address, so you can configure the HA-VRRP basic from Web-UI.

The following example shows the FAD1 configuration, the FAD2 is similar.

Navigate to “System->High Availability” page:

Edit the HA node:

3) Configure the needed VRRP groups

Once the two devices established the HA VRRP relationship, then the configuration changes happening on any HA nodes can be synced to the other nodes. So in this example, you can just create the VRRP groups on one of the nodes. Here we put FAD1:

Navigate to System->Traffic Group, add new member

The equivalent configuration:

config system traffic-group

edit "VRRP_Group1"

set failover-order 0 1

set preempt enable

next

edit "VRRP_Group2"

set failover-order 1 0

set preempt enable

next

end

4) Assign interface, virtual-server and other resources to the VRRP group

By default, all the interfaces, virtual-servers and other resources are in the traffic-group “default”. We recommend assign the resources to the custom traffic-group.

Navigate to Networking->Interface, edit the interface:

Remember, the floatin-ip only works on the traffic-group master. In this example, the port2 belongs to VRRP_Group1, and FAD1 is currently the master of VRRP_Group1, so “159.9.200.200” is only working on FAD1 currently. If FAD1 is failing, then FAD2 will take over the master of VRRP_Group1, then the “159.9.200.200” will work on FAD2.

Navigate to Server Load Balance->Virtual Server, edit the interface, set the VS1 to VRRP_Group1, VS2 to VRRP_Group2.