Test case 2
Starting position:
-
Baltimore CA certificate installed on both FortiAnalyzers.
-
FAZHA001 is the primary.
-
FAZHA002 is the secondary.
-
lynx001 continuous ping targeting the VIP 10.0.10.10.
The Baltimore CA certificate can be downloaded here: https://learn.microsoft.com/en-us/azure/security/fundamentals/azure-ca-details |
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
openssl x509 -in ~/Downloads/HA-Azure.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: xxxxxxxx (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrustRoot
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
1a:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:3
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
ea:63:39:a9
FAZHA001 Baltimore CA certificate installed:
config system certificate ca
edit "HA-Azure"
set ca "-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----"
set comment "Created by CA certificate"
next
end
FAZHA002 Baltimore CA certificate installed:
config system certificate ca
edit "HA-Azure"
set ca "-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----"
set comment "Created by CA certificate"
next
end
Result:
After executing diagnose ha failover
on the primary (FAZHA001), the ping to the VIP was stocked. FortiAnalyzer HA worked as expected and the new primary is now FAZHA002 (see below).
After switch failover again back FAZHA001, the ping to the VIP immediately starts working again.
lynx001 ping:
azureuser@lynx01:~$ ping 10.0.10.10
PING 10.0.10.10 (10.0.10.10) 56(84) bytes of data.
64 bytes from 10.0.10.10: icmp_seq=1 ttl=64 time=0.614 ms
64 bytes from 10.0.10.10: icmp_seq=2 ttl=64 time=1.25 ms
64 bytes from 10.0.10.10: icmp_seq=3 ttl=64 time=0.727 ms
64 bytes from 10.0.10.10: icmp_seq=4 ttl=64 time=0.885 ms
64 bytes from 10.0.10.10: icmp_seq=5 ttl=64 time=0.727 ms
64 bytes from 10.0.10.10: icmp_seq=6 ttl=64 time=0.670 ms
64 bytes from 10.0.10.10: icmp_seq=7 ttl=64 time=0.757 ms
64 bytes from 10.0.10.10: icmp_seq=8 ttl=64 time=1.29 ms
FAZHA001 diagnose ha status:
HA-Status: Secondary
up-time: 4m49.389s
config-sync: Allow
serial-no: FAZVMSTMxxxxxxx3
fazuid: 3433169053
hostname: fazha001
load balance status: 0x0
HA-Primary fazha@10.0.10.5 FAZVMSTMxxxxxxx4
ip: 10.0.10.5
serial-no: FAZVMSTMxxxxxxx4
fazuid: 4148610926
hostname: fazha002
conn-st: up
up/down-time: 4m47.987s
conn-msg:
cfgsync-st: up, 4m29.881s
data-init-sync-st: done, 4m43.984
FAZHA001 checking HA log:
tail -f /var/private/clusterd/faz-ha.log
2023/02/02 10:45:30 [add-ip] retry...
2023/02/02 10:45:30 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority
2023/02/02 11:11:40 <729> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:11:40 <729> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a
2023/02/02 11:11:40 <729> main: -> BACKUP
2023/02/02 11:11:40 <729> to_BACKUP: -> BACKUP
2023/02/02 11:16:16 <2716> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:16:16 <2716> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a
2023/02/02 11:16:16 <2716> main: -> MASTER
2023/02/02 11:16:17 [add-ip] 10.0.10.10 is private IP
2023/02/02 11:18:36 <3398> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:18:36 <3398> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a
2023/02/02 11:18:36 <3398> main: -> STOP
2023/02/02 11:18:36 <3398> main: -> STOP
2023/02/02 11:18:37 <3412> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:18:37 <3412> main: #0: 10.0.10.10 port1 00:0d:3a:bb:fc:4a
2023/02/02 11:18:37 <3412> main: -> BACKUP
2023/02/02 11:18:37 <3412> to_BACKUP: -> BACKUP
FAZHA002 diagnose ha status:
HA-Status: Primary
up-time: 4m26.266s
config-sync: Allow
serial-no: FAZVMSTMxxxxxxx4
fazuid: 4148610926
hostname: fazha002
load balance status: 0x8
HA-Secondary fazha@10.0.10.4 FAZVMSTMxxxxxxx3
ip: 10.0.10.4
serial-no: FAZVMSTMxxxxxxx3
fazuid: 3433169053
hostname: fazha001
conn-st: up
up/down-time: 4m25.952s
conn-msg:
cfgsync-st: up, 4m5.542s
data-init-sync-st: done, 4m11.562s
FAZHA002 checking HA log:
tail -f /var/private/clusterd/faz-ha.log
2023/02/02 11:11:41 <7372> main: -> MASTER
2023/02/02 11:11:42 [add-ip] 10.0.10.10 is private IP
2023/02/02 11:16:15 <8220> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:16:15 <8220> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32
2023/02/02 11:16:15 <8220> main: -> STOP
2023/02/02 11:16:15 <8220> main: -> STOP
2023/02/02 11:16:16 <8233> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:16:16 <8233> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32
2023/02/02 11:16:16 <8233> main: -> BACKUP
2023/02/02 11:16:16 <8233> to_BACKUP: -> BACKUP
2023/02/02 11:18:37 <9783> check_empty: platform=FAZVM64-AZURE
2023/02/02 11:18:37 <9783> main: #0: 10.0.10.10 port1 60:45:bd:f5:2b:32
2023/02/02 11:18:37 <9783> main: -> MASTER
2023/02/02 11:18:38 [add-ip] 10.0.10.10 is private IP
2023/02/02 11:19:12 [add-ip] error: network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority
2023/02/02 11:19:17 [add-ip] retry...
2023/02/02 11:19:17 [add-ip] Error network.InterfacesClient#List: Failure sending request: StatusCode=0 -- Original Error: Get "https://management.azure.com/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/CMM_RG_FAZHA/providers/Microsoft.Network/networkInterfaces?api-version=2020-05-01": x509: certificate signed by unknown authority
The above shows that the private VIP cannot be transferred to the new primary FAZHA002 due to the certificate signed by unknown authority error. |