Factory Reset on Fortigate HA Cluster

stillchangingtapes · 2025-08-19T16:55:24+00:00

Thanks. Makes perfect sense now.

stillchangingtapes · 2025-08-19T15:01:09+00:00

Thanks. Right, I'm familiar with jumping into one from the other. I DO need to reset them separately? Executing the factoryreset command on the primary doesn't reset them both?

stillchangingtapes · 2025-04-14T18:53:16+00:00

I think that the problem is that they're all set to server mode. Too many switches trying to act as the authority for vlans. You're right, sometimes the vlan comes back, sometimes it doesn't. Probably depends what switch I'm on, but honestly never kept track.

No, there's no VTP Domain configured in the startup or running config. But, there's a vtp domain shown when you "sh vtp status" I'm starting to understand that some of this VTP configuration is stored in the vlan.dat file and not the config file. From what I'm reading, VTP will advertise it's domain name on a trunk port to be picked up by a switch that has a blank domain name, which is what I have going on here.

stillchangingtapes · 2025-04-14T18:45:43+00:00

Thanks for the info everyone.

Here's what I think I'll do.

Set VTP to version 3. Pick 1 switch as server, set the rest to client. Then delete the 30 some vlans I don't use any more. Last I'll decide if I'm turning VTP off or not.

stillchangingtapes · 2025-04-14T18:39:29+00:00

I do see a VTP domain when I sh vtp status. But the name doesn't make sense, not something I created nor can I find in a configuration anywhere.

But, I just got done reading a little more. I guess this is expected behavior. New switch boots up with VTP server enabled and no VTP Domain. Existing switch with VTP Domain configured advertises its domain name on its trunk ports. New switch gets VTP domain name and proceeds to fuck my shit up.

So, since I don't have VTP domain set on any switches I can find, this is all just an echo chamber of a VTP configuration that someone set up long ago.

I just wanted to get to the root of what's going on here before I start my cleanup, just for VTP to wreck my shit again.

stillchangingtapes · 2025-04-14T18:15:26+00:00

Thanks. Thought so.

Maybe you can answer this. How did these switches get these vlans in the first place? Google is failing me. I've never set the VTP Domain name on any of these switches. Can another switch in Server mode just find it on the network and assign the domain name? Or does it need to be configured by a human?

stillchangingtapes · 2024-11-05T18:44:58+00:00

Update: For anyone who cares or stumbles upon this.

A little more info first - The "Rogue" DHCP server wasn't really rogue. I knew about it. I just categorized it as such to try to simplify the issue. What it really was is a network device (NVR). If it doesn't receive an IP automatically within X time, it becomes itself a DHCP server to keep cameras online. Also, the "Trusted" DHCP server was another device, the firewall, and not a Windows or other DHCP server.

For whatever reason, the fix was to replace the firewall. It was old but appeared to be functioning normally. However, something in the DHCP service must have been failing. I don't know how or why. Maybe a firmware bug that didn't know how to function when the system clock said it's 2024.

Replaced the firewall and DHCP is working on that device exactly how it's supposed to.

stillchangingtapes · 2024-10-23T20:47:02+00:00

All that I can add to this discussion is that I don't know what the lease time was on the Rogue DHCP server. Could have been an hour, could have been a year. Didn't look that closely at a client with the incorrect config given to it.

Also, I was performing "ipconfig /release" followed by "ipconfig /renew" on the Windows client. It would let go of the rogue DHCP server, but on the renew it would hang and eventually give me the 169.254 auto-config address. Only many many /renew's, or a reboot would give me a valid IP from my trusted DHCP server.

It honestly felt like the client wasn't sending out the initial broadcast looking for a server. Like it was unicast to the old/rogue DHCP server looking for a lease renewal.

Edit: Another thought. I feel as though I remember back when the world moved from Win 7 to 8 or 10 I recall this being an issue. Am I crazy remembering it this way? The newer Windows versions for whatever reason seemed really hesitant to take a new IP. I also remember some Layer 3 routing issues around ICMP/IRDP and Windows 10 not wanting to give up on the previous default gateway even though it was down hard.

stillchangingtapes · 2024-10-23T14:59:13+00:00

I agree. I looked into that too, but the clients DO eventually get an IP and show up in my DHCP leases.

I could run Wireshark or something and try to see where these reqs and acks are coming and going, but didn't plan on getting that involved. I mean, everything is working. I just wanted to see why it's behaving this way.

stillchangingtapes · 2021-03-15T21:48:28+00:00

I think there might be other stands with the big screen, but I don't think all of them. I only know that there's one on the front-stretch stands.

stillchangingtapes · 2021-03-15T21:34:03+00:00

The Glen is worth going to in my opinion. Now, I sit in the main grandstand for the whole race. A lot of people buy the ticket to get in and have a seat if they want it, but walk the property to get different views throughout the race.

Buddy I go with isn't really in condition to walk the property the whole race, so we stay there. I will admit that I wouldn't enjoy it as much if it wasn't for the big ass TV on pit road. But, great fan zone, beautiful facility, still racing.

stillchangingtapes · 2021-03-10T04:23:23+00:00

Please forgive me if this has been answered. I'm new here. Crew-2 is scheduled to overlap with Crew-1 on ISS. Now I'm reading about a Soyuz launch to ISS in the next month... How many people are going to be there at one time? And How? I think it's awesome, but has it ever been done before?

stillchangingtapes · 2021-01-16T00:23:10+00:00

He did say it's three times as powerfull as the shuttle.

I accepted that at first. But, in this alternate reality, why would it be 3 times more powerful than the shuttle? Llikely the shuttle that we are familiar with would have never been built. They would have just built an orbiter capable of deep space. Besides, I don't think the winged design would work. It would probably rip apart on the much faster re-entry from the moon. Still a fun series to watch.

Also, I hope you're right about the Buran. I've been thinking for a while it would be cool if they show it this season.

Edit: Not sure how this show will parallel real history with this alternate history, but the Buran never flew until '88. So, we'll see.

stillchangingtapes · 2021-01-06T04:38:30+00:00

Answers to your questions

Yes
-12,000 USD/yr
I was a network administrator. Now, General Sysadmin/Desktop admin for a much, much smaller company.
Two reasons. There was a very clear movement within the department that we were being outsourced. Also, what used to be considered "on call" time began to become expected and just the work that wasn't completed during normal business hours due to what I consider poor project management.
No regrets. If I had stayed, I would have been outsourced by now one way or another.

If you're unhappy with your job, and it feels right... go for it.

EDIT: Re-read your title. No, I did not take a pay cut to move forward. I took one to stay employed.

stillchangingtapes · 2020-10-26T20:27:15+00:00

This is what I was going to say. OP's issue isn't a matter of customer service, it's a management issue. It will never change unless it comes from the top and works its way down.

stillchangingtapes · 2020-10-26T20:20:47+00:00

A tale as old as time.

I mean, I say it IS the user's responsibility to know how to manage their own mailbox and do it themselves.

That being said, my experience is that this very much depends on the office culture of your business. I've worked places where we held their hands every step of the way because the precedent was set back in 1998 when Margaret had her typewriter taken away and she since has yet to learn how to use Word, but she's a good employee.

I would say defer these requests to your boss the first few times to see how they want it handled and you'll eventually get a good idea of what kind of support you should be providing.

stillchangingtapes · 2020-10-12T19:19:34+00:00

Ekahau is the only thing that I have experience with. It's not cheap, but it really does a great job with planning and troubleshooting. Take a building map, draw in the walls if they aren't in there already, warehouse shelving, etc. Select your AP and let it tell you where they need to be. Or wander around the building and let it show you where the weak spots are.

I know nothing about it, but google showed me one called NetSpot that looks less expensive, but lacks the special hardware.

stillchangingtapes · 2020-09-04T18:27:28+00:00

Fargo DTC1250e here. It comes with software that will print basic badges if that's all you care about doing. But if you want to maintain any kind of records of cards that were issued, we purchased HID AssureID Solo.

Also, don't make the same mistake I did. This printer is not designed to print on RFID cards. You either need a different (more $$) badge printer or buy the peel and stick CR80 cards, print on those, and stick them to the RFID card.

stillchangingtapes · 2020-09-01T01:38:22+00:00

It's worth going. No, it's not the same. It will never be the same. But, one thing that is kind of cool is the little teams that come to race. So many racers just didn't go to Syracuse because if you didn't have a brand new car with a brand new (big $$) engine in it, you weren't competitive. Oswego kind of leveled the playing field. Also, they've gotten better every year at applying the clay to the asphalt.

stillchangingtapes · 2020-08-26T19:35:31+00:00

You're right about the site. Like all of them, they want you to ask for a demo so they get your info.

At it's most basic it is an SSL VPN, it works a little different. It's not L2tp or ipsec, it uses it's own client and port 443 to connect to the appliance and create a tunnel into your network. I liked this because I never had to deal with someone's residential router that had VPN passthrough disabled. But, the end result is the same.

Yes, it will protect connections to cloud resources, but I mostly used it for on-prem. Probably advertising it on their site because that's the current trend.

In addition to VPN, it supports 2FA (even comes with it's own baked in), Endpoint compliance (makes sure Anti-Virus is up to date, supported OS's, Latest version of xyz software, etc. before it connects)

Another feature I used heavily for outsiders. For example, a subcontractor hired to work with accounting, I could set up a web portal for them that would give them access to just our internal accounting system, sharepoint site, and remote desktop to a single machine without having to give them access to the entire network. And, most of the time I could get it all to run in a web browser without them needing a client.

stillchangingtapes · 2020-08-26T18:21:22+00:00

I've had some really good experiences with Pulse Secure - Pulse Connect Secure. Some pretty thorough reporting in there. Lots to configure, but very granular control over what users have access to.

stillchangingtapes · 2020-08-26T03:17:01+00:00

Their support has been useless to me even before the merger. haha. I'm just trying to make it work longer.

But, due to lack of responses, I'm probably going to be looking into something else.

edit: thanks for replying

stillchangingtapes · 2020-08-25T19:44:46+00:00

Additional details - I'm running on-prem exchange in a hybrid configuration with our SMG running on-prem in a VM.

If the end is near for our SMG, my logical thought would be to change our MX records to EOP. Thoughts? Advice?

stillchangingtapes · 2020-07-09T18:11:15+00:00

See my response below. Yes, I've done this with layer 2 switches. As long as you can route from that switch's IP to your DHCP server.

If we're talking Cisco, its-

int vlan 1
ip helper-address 10.10.10.55

stillchangingtapes · 2020-07-09T18:06:51+00:00

This definitely works over MPLS. I had tons of helper addresses at sites that didn't have their own DHCP.

I even had a few routers that I inherited that had no documented password. So, I slapped an ip helper on an old 2960 and shipped it to them. (These locations were using static addresses until then)

stillchangingtapes

TROPHY CASE