CAPWAP hitless failover using FGCP
CAPWAP hitless failover with FGCP is only available on FortiAP AX platforms and F Series models when FortiGates are running in Active-Passive mode. |
This example uses a simple network topology to set up FortiGates as WLAN controllers in HA Active-Passive by using the FortiGate Clustering Protocol (FGCP). FGCP is the most commonly used HA solution. It enables two FortiGates Wireless controllers of the same type and model to be put into a cluster in Active-Passive (A-P) mode. A-P mode provides redundancy by having one or more FortiGates in hot standby in case the primary device experiences a detectable failure. If a failure occurs, CAPWAP traffic quickly fails over to a secondary device, preventing significant AP downtime with minimal impact for the wireless clients.
For more information, refer to FGCP in the FortiGate Administration Guide.
The FortiAP establishes two CAPWAP tunnels:
- One tunnel to an Active/Primary FortiGate.
- One tunnel to a Backup/Standby FortiGate.
The CAPWAP traffic is always processed by the Active FortiGate, which relays the FortiAP information to the Backup/Standby FortiGate using heartbeat interface over FGCP.
The FortiAP forms dual CAPWAP sessions with both FortiGates:
-
fsm state RUN
with the Active FortiGate. RUN_STANDBY
with the Backup FortiGate.
FortiAP uses two sets of control and data channels:
- FAP------------------>5246/5247----------->Active FGT
- FAP------------------>5248/5249----------->Active FGT --------------5246/5247----------->Secondary FGT
When the primary FortiGate fails, the secondary FortiGate immediately takes over as the new active FortiGate and manages the FortiAP. Wireless clients connected over tunnel/bridge SSID also maintain the connection during the failover.
The general configuration steps are:
- Configure the primary FortiGate for HA with higher priority.
- Configure the secondary FortiGate for HA with a lower device priority than the primary FortiGate.
- Connect heartbeat interface to the primary FortiGate.
- Connect the LAN interface to the network.
- Configure the override flag in HA configuration for preemptive failover and fallback.
- Manually configure the override and priority configuration on both FortiGates as they don't sync as part of HA sync.
- Enable session pickup in the Active FortiGate's HA configuration. This setting ensures that existing sessions on active firewall is synced with the backup unit and the session persists upon failover.
To configure the primary FortiGate:
For detailed instructions on setting up an HA active-passive cluster, refer to HA active-passive cluster setup in the FortiGate Administration Guide.
config system ha set group-name "FGT-Prod" set mode a-p set password <PWD> set hbdev "ha" 0 set override disable set priority 200 set session-pickup enable set override disable end
When |
To configure the secondary FortiGate:
config system ha set group-name "FGT-Prod" set mode a-p set password <PWD> set hbdev "ha" 0 set override disable set priority 20 set session-pickup enable set override disable end
When |
When you are finished, confirm the cluster shows both nodes.
Diagnose commands
FGCP debug commands
To check HA status:
Execute the following command:
diagnose sys ha status HA information Statistics traffic.local = s:0 p:694553983 b:606857125628 traffic.total = s:0 p:694508998 b:606848291577 activity.ha_id_changes = 3 activity.fdb = c:0 q:0 Model=500, Mode=2 Group=0 Debug=0 nvcluster=1, ses_pickup=1, delay=0 [Debug_Zone HA information] HA group member information: is_manage_primary=1. FG5H0E5819905179: Primary, serialno_prio=0, usr_priority=200, hostname=FGT-500E-1 FG5H0E5819900844: Secondary, serialno_prio=1, usr_priority=20, hostname=FGT-500E-2 [Kernel HA information] vcluster 1, state=work, primary_ip=169.254.0.1, primary_id=0: FG5H0E5819905179: Primary, ha_prio/o_ha_prio=0/0 FG5H0E5819900844: Secondary, ha_prio/o_ha_prio=1/1
To check HA sync:
get sys ha status
Wireless Controller HA status
To check the status of the primary FortiGate:
On the primary FortiGate, run the diagnose wireless-controller wlac -c ha
command. The output should resemble the following:
FGT-500E-1 # diagnose wireless-controller wlac -c ha HA info: mode: a-p (2) group name: FGT-Prod master: 1
To check the status of the secondary FortiGate:
On the secondary FortiGate, run the diagnose wireless-controller wlac -c ha
command. The output should resemble the following:
FGT-500E-2 # diagnose wireless-controller wlac -c ha HA info: mode: a-p (2) group name: FGT-Prod master: 0
Troubleshooting FortiAP
To check FortiAP connectivity to the primary and secondary FortiGates:
On each FortiAP, you can check their connectivity to both the primary and secondary FortiGates with the following command:
FAP-431F # cw_diag -c ha wcha_mode: FGCP @2294596 ACS-0: 10.199.0.46:5246 10.199.0.46:5247 RUN(25929) 9 HA M 5248 FG5H0E5819905179 25653 FGT-500E ACS-1: 10.199.0.46:5248 10.199.0.46:5249 RUN_STANDBY(23789) 9 HA S 5248 FG5H0E5819900844 23789 FGT-500E-2 HA SYNC status: vap00 1, vap01 1, vap02 1, vap03 1, vap10 1, vap11 1, vap12 1, vap14 1,
Control plane |
5246 5248 |
DATA plane |
5247 5249 |
Connection state |
RUN RUN_STANDBY |
You can verify the connection with the following command:
FAP-431F # cw_diag -c acs WTP Configuration name : FAP-431F loc : N/A ap mode : thin AP ... ACS 0 info ha info : ac=FG5H0E5819905179 master=1 ctl_port=5248 fsm-state : RUN 264272 ac-ip-addr : 10.199.0.46:5246,5247 MULTICAST ac-name : FGT-500E ... ACS 1 info ha info : ac=FG5H0E5819900844 master=0 ctl_port=5248 fsm-state : RUN_STANDBY 262132 ac-ip-addr : 10.199.0.46:5248,5249 MULTICAST ac-name : FGT-500E-2 ...
Debugging options from FortiAP:
cw_debug on
cw_diag debug ha 5
Debugging options from FortiGate:
diag wireless-controller wlac debug ha 4
diag debug enable