If you want to change the MTU of your FortiGate HA-Cluster by using the FortiManager, think about removing the HA monitored interface for that LAG-interface first. Because: When the MTU of that LAG-interface is changed, the interface goes down and comes up again. If that LAG-interface is part of the HA monitored interfaces, then your FortiGate HA will execute a HA failover. That interupts the execution of the FortiManager task and might lead to a crash of the FortiManager (reboots).
FortiManager Log shows:
1560 2021-02-03 17:10:31 [..]
1561 2021-02-03 17:10:31 information Deployment manager event Device state updates
Device fgtdev214 config status changed to OUT_OF_SYNC by aborted, devdb MODIFIED
1562 2021-02-03 17:10:31 error prod-user54 Deployment manager event Policy package install failed Installation of the device settings (null) on fgtdev214[root] failed.1563 2021-02-03 17:10:31 [..]
If you want to avoid an unplanned FortiGate HA-failover, FortiManager crash and using diagnose dvm task repair on your FortiManager, then:
1. Schedule a maintenance window (communication & schedule a maintenance window in your monitoring- and logging-systems)
2. Remove the HA monitor interface for that LAG-interface first (using the FortiManager)
3. Then adjust the MTU on the FortiGate LAG-interface (using the FortiManager)
4. Enable the HA monitor interface for that LAG-interface again (using the FortiManager)
5. Test your new MTU, communicated the change and enable alerting/stop maintenance-window in your monitoring-systems and log-alerts.
No comments:
Post a Comment