Fortinet black logo

High Availability - FortiNACOS

Home FortiNAC-F 7.2.0 High Availability - FortiNACOS
7.2.0
7.4.0
7.2.0

Failover Scenarios Due to Network Communication Issues

Failover Scenarios Due to Network Communication Issues

There are situations when portions of the network may fail, preventing communication between the Primary and Secondary Servers. In those cases, the resulting failover behavior can vary. The following scenarios have been observed to occur predominantly in Layer 3 High Availability (HA) configurations. Note that these scenarios are also possible in Layer 2 HA configurations, but less likely to occur.

Scenario 1: Servers Fail to Communicate - Gateways Reachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • Primary and secondary are communicating to their defined gateways.

  • The network is basically functioning but communications between just the primary and secondary are down.

Scenario 1 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. Secondary becomes active and starts its loader(s). Both FortiNAC Servers are now running.

  3. After restoring the network communication between primary and secondary, the primary loader(s) immediately shut down. Secondary Server remains active.

Scenario 2: Servers Fail to Communicate – Primary’s Gateway Unreachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • The network is basically functioning but communications between primary and secondary are down.

  • Primary’s network communication to its defined gateway is also down.

Scenario 2 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. Secondary becomes active and starts its loader(s). Both FortiNAC Servers are now running.

  3. After restoring the network communication between primary and secondary, the primary loader(s) immediately shut down. Secondary Server remains active.

Scenario 3: Servers Fail to Communicate – Secondary’s Gateway Unreachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • The network is basically functioning but communications between primary and secondary are down.

  • Secondary’s communication to its defined gateway is also down.

Scenario 3 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. The secondary goes through the failure routine but does NOT start the loader(s).

  3. After restoring the network communication between the primary, secondary and gateway:

  • Primary remains active.

  • Secondary returns to a ‘not in control’ mode.

  • Database replication is restarted on the secondary.

Configuration Considerations

To prevent scenarios where both servers are running when a wide area network failure occurs, the following can be used when configuring High Availability:

Primary Appliance Gateway IP Address: the actual network gateway of the secondary system.

Secondary Appliance Gateway IP Address: the actual network gateway of the primary system.

With this configuration, if there is a wide area network failure, the secondary will fail to reach both the gateway and primary (as in scenario 3) and the secondary loader(s) will not start.

Previous
Next

Failover Scenarios Due to Network Communication Issues

There are situations when portions of the network may fail, preventing communication between the Primary and Secondary Servers. In those cases, the resulting failover behavior can vary. The following scenarios have been observed to occur predominantly in Layer 3 High Availability (HA) configurations. Note that these scenarios are also possible in Layer 2 HA configurations, but less likely to occur.

Scenario 1: Servers Fail to Communicate - Gateways Reachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • Primary and secondary are communicating to their defined gateways.

  • The network is basically functioning but communications between just the primary and secondary are down.

Scenario 1 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. Secondary becomes active and starts its loader(s). Both FortiNAC Servers are now running.

  3. After restoring the network communication between primary and secondary, the primary loader(s) immediately shut down. Secondary Server remains active.

Scenario 2: Servers Fail to Communicate – Primary’s Gateway Unreachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • The network is basically functioning but communications between primary and secondary are down.

  • Primary’s network communication to its defined gateway is also down.

Scenario 2 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. Secondary becomes active and starts its loader(s). Both FortiNAC Servers are now running.

  3. After restoring the network communication between primary and secondary, the primary loader(s) immediately shut down. Secondary Server remains active.

Scenario 3: Servers Fail to Communicate – Secondary’s Gateway Unreachable

  • All FortiNAC processes are functioning as normal on primary and secondary.

  • The network is basically functioning but communications between primary and secondary are down.

  • Secondary’s communication to its defined gateway is also down.

Scenario 3 Failover Behavior:

  1. Primary stays active. Loader(s) remain running.

  2. The secondary goes through the failure routine but does NOT start the loader(s).

  3. After restoring the network communication between the primary, secondary and gateway:

  • Primary remains active.

  • Secondary returns to a ‘not in control’ mode.

  • Database replication is restarted on the secondary.

Configuration Considerations

To prevent scenarios where both servers are running when a wide area network failure occurs, the following can be used when configuring High Availability:

Primary Appliance Gateway IP Address: the actual network gateway of the secondary system.

Secondary Appliance Gateway IP Address: the actual network gateway of the primary system.

With this configuration, if there is a wide area network failure, the secondary will fail to reach both the gateway and primary (as in scenario 3) and the secondary loader(s) will not start.

Previous
Next