Fast failover of CAPWAP control channel between two uplinks
When a FortiExtender is configured as a FortiGate LAN extension and has two uplinks to the FortiGate access controller (AC), the system is able to perform a fast failover of the CAPWAP LAN extension control channel. Two CAPWAP sessions are established between the FortiGate and the FortiExtender: one is active and the other is standby. When the active uplink goes down, the CAPWAP LAN extension control channel changes to use the other standby uplink quickly. When the previously active uplink comes back up, the CAPWAP LAN extension control channel continues to use the previously standby uplink used for the failover event as the control channel.
To display the active and standby sessions for the CAPWAP LAN extension control channel on the FortiGate:
-
Execute the CLI command
get extender session-info.In the CLI output, the active session is marked as
lan-extensionand the standby session is marked assecondary.
To display the active and standby sessions for the CAPWAP LAN extension control channel on the FortiExtender:
-
Execute the CLI command
get extender status.In the CLI output, the active and standby sessions and the uplink ports are displayed when both uplinks are up; only the active session and the uplink port are displayed when a single uplink is up.
Topology
In the following diagram, the FortiGate (FEXT controller) port3 has the CAPWAP control channel to the FortiExtender (uplinks wan1 and wan2). The FortiExtender-200F port1 and port2 stand for wan1 and wan2.
CLI
The following CLI outputs show the configuration of the uplink failover event and how this new feature works.
-
Once the FortiExtender has two uplinks (port1, port2) that can reach the FortiGate, two CAPWAP sessions are established. One of them is the CAPWAP control channel (5246).
*** FGT console displays two extender sessions, one of which works as lan-extension control channel. FortiGate-501E # get extender session-info Total 2 WS sessions, 0 AS sessions: fg connectors: extender sessions: FX0030000000000 : 3.3.3.1:60440 (dport 65535) seconadry, running, install, data-enable, refcnt 5, miss_echos -1, up-time 363 secs, change 1 FX0030000000000 : 3.3.3.1:5246 (dport 47997) lan-extension, running, install, data-enable, refcnt 7, miss_echos -1, up-time 2216 secs, change 0 *** FEXT console displays CAPWAP channel with active session (port1) and standby session (port2): FX200F0000000000 # get extender status Extender Status name : FX200F0000000000 mode : CAPWAP session : active fext-addr : 5.5.5.1 ingress-intf : port1 controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 uptime : 0 days, 0 hours, 36 minutes, 31 seconds management-state : CWWS_RUN session : standby fext-addr : 6.6.6.1 ingress-intf : port2 controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 uptime : 0 days, 0 hours, 5 minutes, 38 seconds management-state : CWWS_RUN base-mac : E8:1C:BA:C4:4E:B1 network-mode : lan-extension fgt-backup-mode : backup discovery-type : static discovery-interval : 5 echo-interval : 30 report-interval : 30 statistics-interval : 120 mdm-fw-server : fortiextender-firmware.forticloud.com os-fw-server : fortiextender-firmware.forticloud.com FX200F0000000000 #
-
Once the active uplink (port1) is down, the secondary session becomes the CAPWAP control channel (60440).
*** FGT console displays remaining extender session as lan-extension control channel. FortiGate-501E # get extender session-info Total 1 WS sessions, 0 AS sessions: fg connectors: extender sessions: FX0030000000000 : 3.3.3.1:60440 (dport 36583) lan-extension, running, install, data-enable, refcnt 7, miss_echos -1, up-time 481 secs, change 0 *** FEXT console displays CAPWAP channel with active session (port2): FX200F0000000000 # get extender status Extender Status name : FX200F0000000000 mode : CAPWAP session : standby fext-addr : 0.0.0.0 ingress-intf : controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 management-state : CWWS_DISCOVERY session : active fext-addr : 6.6.6.1 ingress-intf : port2 controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 uptime : 0 days, 0 hours, 7 minutes, 56 seconds management-state : CWWS_RUN base-mac : E8:1C:BA:C4:4E:B1 network-mode : lan-extension fgt-backup-mode : backup discovery-type : static discovery-interval : 5 echo-interval : 30 report-interval : 30 statistics-interval : 120 mdm-fw-server : fortiextender-firmware.forticloud.com os-fw-server : fortiextender-firmware.forticloud.com FX200F0000000000 #
-
Once the uplink (port1) is recovered, the FortiGate console displays two extender sessions. The lan-extension control channel has no change (still via port2 on FEXT).
*** FGT console displays two extender sessions, one of which works as lan-extension control channel. FortiGate-501E # get extender session-info Total 2 WS sessions, 0 AS sessions: fg connectors: extender sessions: FX0030000000000 : 3.3.3.1:5246 (dport 65535) seconadry, running, install, data-enable, refcnt 5, miss_echos -1, up-time 201 secs, change 1 FX0030000000000 : 3.3.3.1:60440 (dport 36583) lan-extension, running, install, data-enable, refcnt 7, miss_echos -1, up-time 1904 secs, change 0 *** FEXT console displays CAPWAP channel with active session (port2) and standby session (port1): FX200F0000000000 # get extender status Extender Status name : FX200F0000000000 mode : CAPWAP session : standby fext-addr : 5.5.5.1 ingress-intf : port1 controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 uptime : 0 days, 0 hours, 1 minutes, 55 seconds management-state : CWWS_RUN session : active fext-addr : 6.6.6.1 ingress-intf : port2 controller-addr : 1.1.1.10:5246 controller-name : FG5H1E5818904105 uptime : 0 days, 0 hours, 30 minutes, 18 seconds management-state : CWWS_RUN base-mac : E8:1C:BA:C4:4E:B1 network-mode : lan-extension fgt-backup-mode : backup discovery-type : static discovery-interval : 5 echo-interval : 30 report-interval : 30 statistics-interval : 120 mdm-fw-server : fortiextender-firmware.forticloud.com os-fw-server : fortiextender-firmware.forticloud.com FX200F0000000000 #