Fortinet black logo

Administration Guide

Servers on different subnets (Layer 3)

Copy Link
Copy Doc ID 2cb222d1-3405-11ea-9384-00505692583a:49255
Download PDF

Servers on different subnets (Layer 3)

Note

In a high availability environment with an L3 configuration where redundant FortiNAC servers are on different subnets and do not use a shared IP address, you must select the Layer 3 network option in the Configuration Wizard. L3 high availability configurations are not supported with Layer 2 Isolation settings.

Network infrastructure

  • If your primary and secondary servers are on different subnets, a Shared IP address cannot be used. Make sure that communication between the subnets is configured in advance.
  • Configure two DHCP Helpers (eth1 on the primary and eth1 on the secondary) for isolation VLANs. FortiNAC returns two DNS servers (eth1 on the primary and eth1 on the secondary) for isolation VLANs.

    Upon failover the isolated hosts will have two DNS entries for use. Should the host stay in isolation longer than the DHCP time to live, then the host will fail to renew its IP from the primary. It will redo DHCP discovery and get an IP address from the secondary application server. The secondary application server will have responded with two DNS servers (secondary eth1 and primary eth1).

  • If you are using high availability for a FortiNAC Control Serverand FortiNAC Application Server pair, when failover occurs both servers failover. See Recovery.
  • Configure all network devices to send traps to both the primary and secondary FortiNAC server IP addresses.
  • Configure RADIUS servers to use both the primary and secondary addresses.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

  • If your primary and secondary servers are running on different subnets and do not use a shared IP address, make sure that the Persistent Agent and all other features use the individual IP addresses or host names of the primary and secondary servers. Refer to the Help on Persistent Agent Properties.
  • If you are using the Guest self registration feature, you must configure settings to generate the correct links in the emails sent to sponsors when a guest requests access. See Configure the email link.
  • In a high availability configuration changes to the database on the primary server are replicated immediately to the secondary server. If the latency is too long and/or the bandwidth between redundant servers is not sufficient, the secondary may not have all of the database changes made on the primary when a failover occurs. It is impossible to predetermine the network requirement due to the fact that it will vary based on product usage and load. The follow formula can be used to calculate your specific network bandwidth requirements.

The starting latency and bandwidth recommendations are as follows:

  • latency between remote data nodes must not exceed 20 milliseconds
  • bandwidth of the network link must be a minimum of 4.8 Mbps

Your usage of the product will impact the network requirements. Fortinet recommends using the "Database Replication Error" event and the corresponding alarm action to notify administrators when an error occurs. There are two possible caused, first there was a momentary network outage that caused the failure. If the event happens continuously then network speed of the must be increased.

Appliance configuration

  • Make sure all appliances have a license key that includes high availability and that all appliances have matching licenses.
  • Use the Configuration Wizard to configure each of the appliances. Refer to the Appliance Installation Guide that comes with the appliances for information on using the Configuration Wizard.

    You must run the Configuration Wizard on both the primary and secondary servers and make sure that the necessary Route scopes are filled in for both servers. If you do not enter scopes on both servers, the high availability configuration will be incomplete and will not work correctly.

  • Go to the Administration - High Availability tab and configure IP addresses and communication between appliances. See Primary and secondary configuration.
  • Apply the configuration to restart your appliances. This replicates the database on the secondary and copies any necessary files. Portal pages are copied every 10 minutes.

    If you are using DHCP Management in a high availability environment, the ports to which the DHCP Interfaces connect must be added to the System DHCP Port group. See Modifying a Group in the FortiNAC Administration and Operation documentation for additional information. In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

  • Ensure that the DHCP plugins on both the primary and secondary are configured.

Servers on different subnets (Layer 3)

Note

In a high availability environment with an L3 configuration where redundant FortiNAC servers are on different subnets and do not use a shared IP address, you must select the Layer 3 network option in the Configuration Wizard. L3 high availability configurations are not supported with Layer 2 Isolation settings.

Network infrastructure

  • If your primary and secondary servers are on different subnets, a Shared IP address cannot be used. Make sure that communication between the subnets is configured in advance.
  • Configure two DHCP Helpers (eth1 on the primary and eth1 on the secondary) for isolation VLANs. FortiNAC returns two DNS servers (eth1 on the primary and eth1 on the secondary) for isolation VLANs.

    Upon failover the isolated hosts will have two DNS entries for use. Should the host stay in isolation longer than the DHCP time to live, then the host will fail to renew its IP from the primary. It will redo DHCP discovery and get an IP address from the secondary application server. The secondary application server will have responded with two DNS servers (secondary eth1 and primary eth1).

  • If you are using high availability for a FortiNAC Control Serverand FortiNAC Application Server pair, when failover occurs both servers failover. See Recovery.
  • Configure all network devices to send traps to both the primary and secondary FortiNAC server IP addresses.
  • Configure RADIUS servers to use both the primary and secondary addresses.
  • If you are setting up FortiNAC as the RADIUS server for a device in a high availability environment, you must use the actual IP address of the primary control server, not the Shared IP address. Set up the secondary control server as a secondary RADIUS server using its actual IP address. Regardless of the environment, you may also want to set up your actual RADIUS server to be used in the event that none of your FortiNAC appliances can be reached. This would allow users to access the network, but they would not be controlled by FortiNAC.

  • If your primary and secondary servers are running on different subnets and do not use a shared IP address, make sure that the Persistent Agent and all other features use the individual IP addresses or host names of the primary and secondary servers. Refer to the Help on Persistent Agent Properties.
  • If you are using the Guest self registration feature, you must configure settings to generate the correct links in the emails sent to sponsors when a guest requests access. See Configure the email link.
  • In a high availability configuration changes to the database on the primary server are replicated immediately to the secondary server. If the latency is too long and/or the bandwidth between redundant servers is not sufficient, the secondary may not have all of the database changes made on the primary when a failover occurs. It is impossible to predetermine the network requirement due to the fact that it will vary based on product usage and load. The follow formula can be used to calculate your specific network bandwidth requirements.

The starting latency and bandwidth recommendations are as follows:

  • latency between remote data nodes must not exceed 20 milliseconds
  • bandwidth of the network link must be a minimum of 4.8 Mbps

Your usage of the product will impact the network requirements. Fortinet recommends using the "Database Replication Error" event and the corresponding alarm action to notify administrators when an error occurs. There are two possible caused, first there was a momentary network outage that caused the failure. If the event happens continuously then network speed of the must be increased.

Appliance configuration

  • Make sure all appliances have a license key that includes high availability and that all appliances have matching licenses.
  • Use the Configuration Wizard to configure each of the appliances. Refer to the Appliance Installation Guide that comes with the appliances for information on using the Configuration Wizard.

    You must run the Configuration Wizard on both the primary and secondary servers and make sure that the necessary Route scopes are filled in for both servers. If you do not enter scopes on both servers, the high availability configuration will be incomplete and will not work correctly.

  • Go to the Administration - High Availability tab and configure IP addresses and communication between appliances. See Primary and secondary configuration.
  • Apply the configuration to restart your appliances. This replicates the database on the secondary and copies any necessary files. Portal pages are copied every 10 minutes.

    If you are using DHCP Management in a high availability environment, the ports to which the DHCP Interfaces connect must be added to the System DHCP Port group. See Modifying a Group in the FortiNAC Administration and Operation documentation for additional information. In the event of a failover, it is important that these fields be setup correctly or DHCP monitoring will not run.

  • Ensure that the DHCP plugins on both the primary and secondary are configured.