Fortinet white logo
Fortinet white logo

FortiWiFi and FortiAP Configuration Guide

CAPWAP hitless failover using FGCP

CAPWAP hitless failover using FGCP

Tooltip

CAPWAP hitless failover with FGCP is only available on FortiAP AX platforms and F Series models when FortiGates are running in Active-Passive mode.

This example uses a simple network topology to set up FortiGates as WLAN controllers in HA Active-Passive by using the FortiGate Clustering Protocol (FGCP). FGCP is the most commonly used HA solution. It enables two FortiGates Wireless controllers of the same type and model to be put into a cluster in Active-Passive (A-P) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, CAPWAP traffic quickly fails over to a secondary device, preventing significant AP downtime with minimal impact for the wireless clients.

For more information, refer to Failover protection in the FortiGate Administration Guide.

The FortiAP establishes two CAPWAP tunnels:

  • One tunnel to an Active/Primary FortiGate.
  • One tunnel to a Backup/Standby FortiGate.

The CAPWAP traffic is always processed by the Active FortiGate, which relays the FortiAP information to the Backup/Standby FortiGate using heartbeat interface over FGCP.

The FortiAP forms dual CAPWAP sessions with both FortiGates:

  • fsm state RUN with the Active FortiGate.
  • RUN_STANDBY with the Backup FortiGate.

FortiAP uses two sets of control and data channels:

  • FAP------------------>5246/5247----------->Active FGT
  • FAP------------------>5248/5249----------->Active FGT --------------5246/5247----------->Secondary FGT

When the primary FortiGate fails, the secondary FortiGate immediately takes over as the new active FortiGate and manages the FortiAP. Wireless clients connected over tunnel/bridge SSID also maintain the connection during the failover.

The general configuration steps are:

  1. Configure the primary FortiGate for HA with higher priority.
  2. Configure the secondary FortiGate for HA with a lower device priority than the primary FortiGate.
  3. Connect heartbeat interface to the primary FortiGate.
  4. Connect the LAN interface to the network.
  5. Configure the override flag in HA configuration for preemptive failover and fallback.
  6. Manually configure the override and priority configuration on both FortiGates as they don't sync as part of HA sync.
  7. Enable session pickup in the Active FortiGate's HA configuration. This setting ensures that existing sessions on active firewall is synced with the backup unit and the session persists upon failover.
To configure the primary FortiGate

For detailed instructions on setting up an HA active-passive cluster, refer to HA active-passive cluster setup in the FortiGate Administration Guide.

 config system ha
  set group-name "FGT-Prod"
  set mode a-p
  set password <PWD>
  set hbdev "ha" 0
  set override disable
  set priority 200
  set session-pickup enable
  set override disable
end

Note

When session-pickup is enabled in the HA settings, existing TCP sessions are kept, and users on the network are not impacted by downtime as the traffic can be passed without re-establishing the sessions. Other sessions such as UDP, ICMP, and etc., can also be synchronized. For more information, refer to the FortiGate CLI documentation.

To configure the secondary FortiGate
config system ha
  set group-name "FGT-Prod"
  set mode a-p
  set password <PWD>
  set hbdev "ha" 0
  set override disable
  set priority 20
  set session-pickup enable
  set override disable
end
Note

When override is enabled, it ensures the FortiGate will always get the same node as the primary FortiGate.

When you are finished, confirm the cluster shows both nodes.

Diagnose commands

FGCP debug commands

To check HA status

Execute the following command:

diagnose sys ha status
HA information
Statistics
	traffic.local = s:0 p:694553983 b:606857125628
	traffic.total = s:0 p:694508998 b:606848291577
	activity.ha_id_changes = 3
	activity.fdb  = c:0 q:0
Model=500, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0
[Debug_Zone HA information]
HA group member information: is_manage_primary=1.
FG5H0E5819905179:      Primary, serialno_prio=0, usr_priority=200, hostname=FGT-500E-1
FG5H0E5819900844:    Secondary, serialno_prio=1, usr_priority=20, hostname=FGT-500E-2
[Kernel HA information]
vcluster 1, state=work, primary_ip=169.254.0.1, primary_id=0:
FG5H0E5819905179:      Primary, ha_prio/o_ha_prio=0/0
FG5H0E5819900844:      Secondary, ha_prio/o_ha_prio=1/1
To check HA sync
get sys ha status

Wireless Controller HA status

To check the status of the primary FortiGate

On the primary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

FGT-500E-1 # diagnose wireless-controller wlac -c ha
HA info:
   mode: a-p (2)
   group name: FGT-Prod
   master: 1
To check the status of the secondary FortiGate

On the secondary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

FGT-500E-2 # diagnose wireless-controller wlac -c ha
HA info:
   mode: a-p (2)
   group name: FGT-Prod
   master: 0

Troubleshooting FortiAP

To check FortiAP connectivity to the primary and secondary FortiGates

On each FortiAP, you can check their connectivity to both the primary and secondary FortiGates with the following command:

FAP-431F # cw_diag -c ha
wcha_mode: FGCP @2294596

ACS-0: 10.199.0.46:5246       10.199.0.46:5247       RUN(25929)           9    HA M 5248 FG5H0E5819905179 25653 FGT-500E
ACS-1: 10.199.0.46:5248       10.199.0.46:5249       RUN_STANDBY(23789)   9    HA S 5248 FG5H0E5819900844 23789 FGT-500E-2

HA SYNC status:
       vap00 1, vap01 1, vap02 1, vap03 1,
       vap10 1, vap11 1, vap12 1, vap14 1,

Control plane

5246

5248

DATA plane

5247

5249

Connection state

RUN

RUN_STANDBY

You can verify the connection with the following command:

FAP-431F # cw_diag -c acs
WTP Configuration
    name                 : FAP-431F
    loc                  : N/A
    ap mode              : thin AP
    ...
ACS 0 info
    ha   info            : ac=FG5H0E5819905179 master=1 ctl_port=5248
    fsm-state            : RUN 264272
    ac-ip-addr           : 10.199.0.46:5246,5247        MULTICAST
    ac-name              : FGT-500E
    ...
ACS 1 info
    ha   info            : ac=FG5H0E5819900844 master=0 ctl_port=5248
    fsm-state            : RUN_STANDBY 262132
    ac-ip-addr           : 10.199.0.46:5248,5249        MULTICAST
    ac-name              : FGT-500E-2
    ...
Debugging options from FortiAP

cw_debug on

cw_diag debug ha 5

Debugging options from FortiGate

diag wireless-controller wlac debug ha 4

diag debug enable

CAPWAP hitless failover using FGCP

CAPWAP hitless failover using FGCP

Tooltip

CAPWAP hitless failover with FGCP is only available on FortiAP AX platforms and F Series models when FortiGates are running in Active-Passive mode.

This example uses a simple network topology to set up FortiGates as WLAN controllers in HA Active-Passive by using the FortiGate Clustering Protocol (FGCP). FGCP is the most commonly used HA solution. It enables two FortiGates Wireless controllers of the same type and model to be put into a cluster in Active-Passive (A-P) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, CAPWAP traffic quickly fails over to a secondary device, preventing significant AP downtime with minimal impact for the wireless clients.

For more information, refer to Failover protection in the FortiGate Administration Guide.

The FortiAP establishes two CAPWAP tunnels:

  • One tunnel to an Active/Primary FortiGate.
  • One tunnel to a Backup/Standby FortiGate.

The CAPWAP traffic is always processed by the Active FortiGate, which relays the FortiAP information to the Backup/Standby FortiGate using heartbeat interface over FGCP.

The FortiAP forms dual CAPWAP sessions with both FortiGates:

  • fsm state RUN with the Active FortiGate.
  • RUN_STANDBY with the Backup FortiGate.

FortiAP uses two sets of control and data channels:

  • FAP------------------>5246/5247----------->Active FGT
  • FAP------------------>5248/5249----------->Active FGT --------------5246/5247----------->Secondary FGT

When the primary FortiGate fails, the secondary FortiGate immediately takes over as the new active FortiGate and manages the FortiAP. Wireless clients connected over tunnel/bridge SSID also maintain the connection during the failover.

The general configuration steps are:

  1. Configure the primary FortiGate for HA with higher priority.
  2. Configure the secondary FortiGate for HA with a lower device priority than the primary FortiGate.
  3. Connect heartbeat interface to the primary FortiGate.
  4. Connect the LAN interface to the network.
  5. Configure the override flag in HA configuration for preemptive failover and fallback.
  6. Manually configure the override and priority configuration on both FortiGates as they don't sync as part of HA sync.
  7. Enable session pickup in the Active FortiGate's HA configuration. This setting ensures that existing sessions on active firewall is synced with the backup unit and the session persists upon failover.
To configure the primary FortiGate

For detailed instructions on setting up an HA active-passive cluster, refer to HA active-passive cluster setup in the FortiGate Administration Guide.

 config system ha
  set group-name "FGT-Prod"
  set mode a-p
  set password <PWD>
  set hbdev "ha" 0
  set override disable
  set priority 200
  set session-pickup enable
  set override disable
end

Note

When session-pickup is enabled in the HA settings, existing TCP sessions are kept, and users on the network are not impacted by downtime as the traffic can be passed without re-establishing the sessions. Other sessions such as UDP, ICMP, and etc., can also be synchronized. For more information, refer to the FortiGate CLI documentation.

To configure the secondary FortiGate
config system ha
  set group-name "FGT-Prod"
  set mode a-p
  set password <PWD>
  set hbdev "ha" 0
  set override disable
  set priority 20
  set session-pickup enable
  set override disable
end
Note

When override is enabled, it ensures the FortiGate will always get the same node as the primary FortiGate.

When you are finished, confirm the cluster shows both nodes.

Diagnose commands

FGCP debug commands

To check HA status

Execute the following command:

diagnose sys ha status
HA information
Statistics
	traffic.local = s:0 p:694553983 b:606857125628
	traffic.total = s:0 p:694508998 b:606848291577
	activity.ha_id_changes = 3
	activity.fdb  = c:0 q:0
Model=500, Mode=2 Group=0 Debug=0
nvcluster=1, ses_pickup=1, delay=0
[Debug_Zone HA information]
HA group member information: is_manage_primary=1.
FG5H0E5819905179:      Primary, serialno_prio=0, usr_priority=200, hostname=FGT-500E-1
FG5H0E5819900844:    Secondary, serialno_prio=1, usr_priority=20, hostname=FGT-500E-2
[Kernel HA information]
vcluster 1, state=work, primary_ip=169.254.0.1, primary_id=0:
FG5H0E5819905179:      Primary, ha_prio/o_ha_prio=0/0
FG5H0E5819900844:      Secondary, ha_prio/o_ha_prio=1/1
To check HA sync
get sys ha status

Wireless Controller HA status

To check the status of the primary FortiGate

On the primary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

FGT-500E-1 # diagnose wireless-controller wlac -c ha
HA info:
   mode: a-p (2)
   group name: FGT-Prod
   master: 1
To check the status of the secondary FortiGate

On the secondary FortiGate, run the diagnose wireless-controller wlac -c ha command. The output should resemble the following:

FGT-500E-2 # diagnose wireless-controller wlac -c ha
HA info:
   mode: a-p (2)
   group name: FGT-Prod
   master: 0

Troubleshooting FortiAP

To check FortiAP connectivity to the primary and secondary FortiGates

On each FortiAP, you can check their connectivity to both the primary and secondary FortiGates with the following command:

FAP-431F # cw_diag -c ha
wcha_mode: FGCP @2294596

ACS-0: 10.199.0.46:5246       10.199.0.46:5247       RUN(25929)           9    HA M 5248 FG5H0E5819905179 25653 FGT-500E
ACS-1: 10.199.0.46:5248       10.199.0.46:5249       RUN_STANDBY(23789)   9    HA S 5248 FG5H0E5819900844 23789 FGT-500E-2

HA SYNC status:
       vap00 1, vap01 1, vap02 1, vap03 1,
       vap10 1, vap11 1, vap12 1, vap14 1,

Control plane

5246

5248

DATA plane

5247

5249

Connection state

RUN

RUN_STANDBY

You can verify the connection with the following command:

FAP-431F # cw_diag -c acs
WTP Configuration
    name                 : FAP-431F
    loc                  : N/A
    ap mode              : thin AP
    ...
ACS 0 info
    ha   info            : ac=FG5H0E5819905179 master=1 ctl_port=5248
    fsm-state            : RUN 264272
    ac-ip-addr           : 10.199.0.46:5246,5247        MULTICAST
    ac-name              : FGT-500E
    ...
ACS 1 info
    ha   info            : ac=FG5H0E5819900844 master=0 ctl_port=5248
    fsm-state            : RUN_STANDBY 262132
    ac-ip-addr           : 10.199.0.46:5248,5249        MULTICAST
    ac-name              : FGT-500E-2
    ...
Debugging options from FortiAP

cw_debug on

cw_diag debug ha 5

Debugging options from FortiGate

diag wireless-controller wlac debug ha 4

diag debug enable