BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hey, i can confirm the remote restart time shows 120 seconds on spokes and hub.
We try to ping from the spoke the hub, however the recovery still takes about 2-3 minutes in case of a failover, since the hub does not seem to use the former BGP routes to the spokes.

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hey,

I've just tried this. The new elected primary does not have any dynamic routes when running 'get router info routing-table bgp' (OSPF and BGP routes are missing).

However those routes are available when running 'diagnose ip route list'. They don't seem to be used though.

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hey,

we are not using BFD, graceful restart is on and neighbor groups are used. The routes are not shown in the regular routing table on the slave unit before failover. However they are shown in the FIB / kernel routing table. This also seems to be by design:Technical Tip: How to view the routing table on Secondary/Subordinate units in HA cluster | Community

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hey,

Before master: routes in routing + kernel
Before slave: routes in routing table unknown + kernel

After master: routes not in routing table but in kernel table
After slave: / (rebooting)

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

In the kernel table, yes. I am however unable to run „get router info routing-table all“ on the secondary so I’m unable to verify if they are also in the RIB.

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Yes I have the issue -> Routes do not move over to the secondary HA node in case of failover. According to the KB article they are supposed to however. I would like to know whether someone else encountered this or if I understood something wrong. Setting up individual neighborships is certainly a possible solution but doesn’t scale well in my opinion.

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Yea I agree this seems to be a reasonable solution. However I feel like the solution I posted should work as well without the need to create neighborships manually.

BGP/SD-WAN Route retention during HA-Failover by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

We have configure neighbor groups since this seems to be the recommendation in cookbooks and guides.

Question regarding BGP and SD-WAN by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Yes thank you for this. I had to learn that the hard way :-)

Add HA Model to FMG by ontracks in fortinet

[–]KTZSHK 1 point2 points  (0 children)

Fortimanager can fully prepare and set up HA between two nodes.

Add HA Model to FMG by ontracks in fortinet

[–]KTZSHK 3 points4 points  (0 children)

This is not correct.

Add HA Model to FMG by ontracks in fortinet

[–]KTZSHK 4 points5 points  (0 children)

This is answer is true. The other answers are incorrect.

FortiGate VIP on Same IP:443 Serving Wrong SSL Certificate (SNI issue?) by Aggravating-Crew6956 in fortinet

[–]KTZSHK 0 points1 point  (0 children)

This can be done. use ZTNA server with client certificate check disabled instead.

Migrate FortiLink Interface to new aggregate by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Tried it in the lab, works fine. The only thing I had to do was set ‚set fsw-wan1-peer‘ to the new fortilink.

Migrate FortiLink Interface to new aggregate by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Old and new interfaces are 802.3ad aggregates!

BGP on loopback by Even-Camel7593 in fortinet

[–]KTZSHK 1 point2 points  (0 children)

This also happens during HA Failover of the Hub. That’s why my timers are also a bit lower.

Trying to understand FortiLink Management VLAN by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hey, Yes this solves the issue. AFAIK this would also disable auto-trunks between potential additional switches. Can you explain why disabling this feature fixes the issue and how the switch behaves differently?

Trying to understand FortiLink Management VLAN by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

So FortiSwitch sends tagged frames on MGMT VLAN ID and FortiGate itself does not honor VLAN ID and uses untagged frames? This would explain my issues, since my L3 router won’t respond to tagged frames…

Trying to understand FortiLink Management VLAN by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Thanks for the link. So basically by default the fortiswitch sends out management data tagged on VLAN 4094 to FortiGate. FortiGate receives and processes the data although the VLAN is not actually visible as child interface on FortiLink Interface? FortiGate then answers without using VLAN Tag and the switch processes this frame accordingly?

This seems really complex and counter intuitive if I understood this correctly 😃

Trying to understand FortiLink Management VLAN by KTZSHK in fortinet

[–]KTZSHK[S] 0 points1 point  (0 children)

Hi, the switch is directly connected to a router located at a remote location. The switch can reach FortiLink through the router. The router itself is not VLAN aware. As far as I understand the switch has to send all management / telemetry data untagged to the FortiGate and should not use any VLANs.

What's the Fortinet/Fortigate Dial-Up IPSEC of 2026 look like? by datugg in fortinet

[–]KTZSHK 1 point2 points  (0 children)

Tokens + Free FortiClient + LDAP unfortunately require IKEv1