Fortinet white logo
Fortinet white logo

Test case 1

Test case 1

Starting position:
  • No CA certificate has been installed on either FortiAnalyzer.

  • FAZHA001 is the primary.

  • FAZHA002 is the secondary.

  • lynx001 continuous ping targeting the VIP 10.0.10.10.

Result:

After executing diagnose ha failover on the primary (FAZHA001), the ping to the VIP was stocked. FortiAnalyzer HA worked as expected and the new primary is now FAZHA002 (see below).

After switch failover again back to FAZHA001, the ping to the VIP immediately starts working again.

lynx001 ping:

azureuser@lynx01:~$ ping 10.0.10.10

PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data.

64 bytes from 10.0.10.10: icmp_seq=1 ttl=64 time=0.985 ms

64 bytes from 10.0.10.10: icmp_seq=2 ttl=64 time=0.651 ms

64 bytes from 10.0.10.10: icmp_seq=3 ttl=64 time=0.643 ms

64 bytes from 10.0.10.10: icmp_seq=4 ttl=64 time=0.713 ms

FAZHA001 diagnose ha status:

HA-Status: Secondary

up-time: 2m53.669s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

load balance status: 0x0

HA-Primary fazha@10.0.10.5 FAZVMSTMxxxxxxx4

ip: 10.0.10.5

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

conn-st: up

up/down-time: 2m51.967s

conn-msg:

cfgsync-st: up, 2m27.862s

data-init-sync-st: done, 2m47.965s

FAZHA001 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 10:45:30 [add-ip] retry...

2023/02/02 10:45:30 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:11:40 <729> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:11:40 <729> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:11:40 <729> main: -> BACKUP

2023/02/02 11:11:40 <729> to_BACKUP: -> BACKUP

2023/02/02 11:16:16 <2716> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <2716> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:16:16 <2716> main: -> MASTER

2023/02/02 11:16:17 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:18:36 <3398> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:36 <3398> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:37 <3412> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <3412> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:37 <3412> main: -> BACKUP

2023/02/02 11:18:37 <3412> to_BACKUP: -> BACKUP

FAZHA002 diagnose ha status:

HA-Status: Primary

up-time: 25.950s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

load balance status: 0x8

HA-Secondary fazha@10.0.10.4 FAZVMSTMxxxxxxx3

ip: 10.0.10.4

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

conn-st: up

up/down-time: 25.050s

conn-msg:

cfgsync-st: down

data-init-sync-st: done, 11.547s

FAZHA002 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 11:11:41 <7372> main: -> MASTER

2023/02/02 11:11:42 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:16:15 <8220> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:15 <8220> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:16 <8233> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <8233> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:16 <8233> main: -> BACKUP

2023/02/02 11:16:16 <8233> to_BACKUP: -> BACKUP

2023/02/02 11:18:37 <9783> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <9783> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:18:37 <9783> main: -> MASTER

2023/02/02 11:18:38 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:19:12 [add-ip] error: network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:19:17 [add-ip] retry...

2023/02/02 11:19:17 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

Note

The above shows that the private VIP cannot be transferred to the new primary FAZHA002 due to the certificate signed by unknown authority error.

Test case 1

Test case 1

Starting position:
  • No CA certificate has been installed on either FortiAnalyzer.

  • FAZHA001 is the primary.

  • FAZHA002 is the secondary.

  • lynx001 continuous ping targeting the VIP 10.0.10.10.

Result:

After executing diagnose ha failover on the primary (FAZHA001), the ping to the VIP was stocked. FortiAnalyzer HA worked as expected and the new primary is now FAZHA002 (see below).

After switch failover again back to FAZHA001, the ping to the VIP immediately starts working again.

lynx001 ping:

azureuser@lynx01:~$ ping 10.0.10.10

PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data.

64 bytes from 10.0.10.10: icmp_seq=1 ttl=64 time=0.985 ms

64 bytes from 10.0.10.10: icmp_seq=2 ttl=64 time=0.651 ms

64 bytes from 10.0.10.10: icmp_seq=3 ttl=64 time=0.643 ms

64 bytes from 10.0.10.10: icmp_seq=4 ttl=64 time=0.713 ms

FAZHA001 diagnose ha status:

HA-Status: Secondary

up-time: 2m53.669s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

load balance status: 0x0

HA-Primary fazha@10.0.10.5 FAZVMSTMxxxxxxx4

ip: 10.0.10.5

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

conn-st: up

up/down-time: 2m51.967s

conn-msg:

cfgsync-st: up, 2m27.862s

data-init-sync-st: done, 2m47.965s

FAZHA001 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 10:45:30 [add-ip] retry...

2023/02/02 10:45:30 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:11:40 <729> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:11:40 <729> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:11:40 <729> main: -> BACKUP

2023/02/02 11:11:40 <729> to_BACKUP: -> BACKUP

2023/02/02 11:16:16 <2716> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <2716> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:16:16 <2716> main: -> MASTER

2023/02/02 11:16:17 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:18:36 <3398> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:36 <3398> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:36 <3398> main: -> STOP

2023/02/02 11:18:37 <3412> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <3412> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a

2023/02/02 11:18:37 <3412> main: -> BACKUP

2023/02/02 11:18:37 <3412> to_BACKUP: -> BACKUP

FAZHA002 diagnose ha status:

HA-Status: Primary

up-time: 25.950s

config-sync: Allow

serial-no: FAZVMSTMxxxxxxx4

fazuid: 4148610926

hostname: fazha002

load balance status: 0x8

HA-Secondary fazha@10.0.10.4 FAZVMSTMxxxxxxx3

ip: 10.0.10.4

serial-no: FAZVMSTMxxxxxxx3

fazuid: 3433169053

hostname: fazha001

conn-st: up

up/down-time: 25.050s

conn-msg:

cfgsync-st: down

data-init-sync-st: done, 11.547s

FAZHA002 checking HA log:

tail -f /var/private/clusterd/faz-ha.log

2023/02/02 11:11:41 <7372> main: -> MASTER

2023/02/02 11:11:42 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:16:15 <8220> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:15 <8220> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:15 <8220> main: -> STOP

2023/02/02 11:16:16 <8233> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:16:16 <8233> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:16:16 <8233> main: -> BACKUP

2023/02/02 11:16:16 <8233> to_BACKUP: -> BACKUP

2023/02/02 11:18:37 <9783> check_empty: platform=FAZVM64-AZURE

2023/02/02 11:18:37 <9783> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32

2023/02/02 11:18:37 <9783> main: -> MASTER

2023/02/02 11:18:38 [add-ip] 10.0.10.10 is private IP

2023/02/02 11:19:12 [add-ip] error: network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

2023/02/02 11:19:17 [add-ip] retry...

2023/02/02 11:19:17 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority

Note

The above shows that the private VIP cannot be transferred to the new primary FAZHA002 due to the certificate signed by unknown authority error.