Skip to main content
Zato02
Zato02
Explorer II
September 1, 2025
Question

A VRRP device fails to link up with the secondary unit of an HA FortiGate 200F (7.0.5).

  • September 1, 2025
  • 2 replies
  • 669 views

Regarding the VRRP-redundant network device (FortiGate 60F) connected to the HA-configured FortiGate 200F (7.0.5), the setup involves the primary 200F connected to the master 60F, and the secondary 200F connected to the backup 60F. Ideally, when the master 60F experiences a failure, communication should occur between the secondary 200F and the backup 60F. However, according to the 200F management interface, the relevant interface appears to be down.

Attempts to enable/disable the interface and static routes have not resolved the issue. Could you please advise on possible solutions?

2 replies

AEK
SuperUser
AEK
SuperUser
September 1, 2025

Not so clear how they are connected. Can you share a diagram?

AEK
    Zato02
    Zato02Author
    Explorer II
    September 5, 2025

    Please forgive the rough diagram, but I would appreciate your confirmation.
    I would like to make changes to the 200F side.vrrp.png

    AEK
    SuperUser
    AEK
    SuperUser
    September 6, 2025

    As long as the secondary 200F is standby it can't communicate with the backup 60F.

    You can fix it either by configuring port1 as monitor interface in 200F HA config, or by changing your design to use intermediate L2 switch between 60F and 200F, or using full mesh via SW/HW switches between 60F and 200F.

    AEK
      Zato02
      Zato02Author
      Explorer II
      September 6, 2025

      Thank you for your response. I had mistakenly assumed that communication would continue seamlessly as long as the secondary unit was active.

      Since adding more devices is not feasible, I believe using a monitor interface would be the most desirable solution.

      On another note, I omitted some parts of the diagram to avoid making it overly complex. Both the 60F and 200F are also connected to a stacked L3 switch. In this setup, if we use a monitor interface, does that mean communication will switch to the secondary 200F when the primary port1 goes down? Also, if the primary port1 is down and the secondary port3 is also down, does that mean the failover won't work properly and communication will be interrupted?vrrp2.png

      AEK
      SuperUser
      AEK
      SuperUser
      September 6, 2025

      If you need only port1 to be monitored then set only port1 as monitored interface.

      If you need also port3 to be monitored then set it as well.

       

      Also, if the primary port1 is down and the secondary port3 is also down, does that mean the failover won't work properly and communication will be interrupted?

      -> I didn't try this case but I guess there would be a primary election so that one FGT handles the remaining traffic. I need to try it in my lab to make sure about the behavior.

       

      Also keep in mind that the "monitored interface" is based on link status up or down. In your case with VRRP I think it is better to combine with link monitor to check IP reachability instead of link up/down status.

      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Combining-remote-link-monitoring-with-a-high/ta-p/191330

      AEK
      Terms & ConditionsAccessibility statement