Skip to main content
Johnnyb1984
Johnnyb1984
New Member
March 22, 2022
Question

Active active cluster STP issues

  • March 22, 2022
  • 2 replies
  • 3829 views

I have 2 Fortigate 200F firewalls configured in an active/active cluster. Fail over between the firewalls seems to work fine but when I reboot one firewall the WAN port seems to become disabled. When I physically check the firewall I can see no lights on the port. If I physically disconnect and reconnect the port it will become active again.

We have 2 WAN cables which are connected to a pair of Dell switches which are stacked. Each firewall is connected to one switch. 

When I view the switch logs I can see

"Link Down: Gi1/0/10

Link on Gi1/0/10 is failed

Gi1/0/10 is transitioned from Forwarding state to Blocking state in instance 0"

 

On the firewall I have configured port 12 as WAN 

"FortiGate-200F-HA2 # show system interface port12
config system interface
edit "port12"
set vdom "root"
set ip x.x.x.x 255.255.255.192
set allowaccess ping https ssh http
set type physical
set lldp-reception enable
set role wan
set snmp-index 21
next
end"

 

Fortigate HA config

"FortiGate-200F-HA2 # show system ha
config system ha
set group-name "Carlow"
set mode a-a
set password ENC bcn2WjZogIhmGEQ6Erw0RhDrwBAZLZzQQvglVS00W7iNcVhb4SL21RyQpU7YEoIbpHJdg1lVzzUaB5HwcefjhvNy1VlBHpToznms3A3yTv6or6339ow+C1l3EDCVrplkfAiOx+qpMBvIpWRLQ=
set hbdev "ha" 0
set session-pickup enable
set override disable
set priority 140
set monitor "port12"
end"

 

Any advice on why this is happening would be much appreciated.

2 replies

alif
Staff
alif
Staff
March 23, 2022

Hi Johnnyb1984,

 

Thank you for contacting Fortinet community.

 

The below message indicates that STP is enabled on the Gi1/0/10 interface of Dell switch.

 

"Link Down: Gi1/0/10 Link on Gi1/0/10 is failed Gi1/0/10 is transitioned from Forwarding state to Blocking state in instance 0"

 

 

Please disable STP on Gi1/0/10 interface and see if the issue recurs.

Johnnyb1984
Johnnyb1984Author
New Member
March 23, 2022

Hi Alif,

 

Thanks for the reply.

 

I will try this suggestion and let you know how it goes. 

 

I was wondering if this is the recommended way to configure WAN ports in an active-active environment? I had previously configured the cluster as active-passive but we want to use the "hardware switch" feature which requires active-active.

alif
Staff
alif
Staff
March 23, 2022

May be you can provide more information about your network environment please.

Fortigate connects to Dell switch on 'port12'. Do you have VRRP configured on the Dell switches?

Johnnyb1984
Johnnyb1984Author
New Member
March 23, 2022

We are not using VRRP. We have 2 cables coming into the rack which are provided by our ISP. These are connected to a trunk port on each switch (Dell N2024). Each switch is connected to a firewall via an access port using VLAN id assigned by our ISP. We are not using any lacp or port channel. The switches are configured to use rstp. 

alif
Staff
alif
Staff
March 23, 2022

The setup sounds fine. I guess the only thing needed is to disable RSTP on the Gi1/0/10 interface on Dell switch that connects to Fortigate port12 interface.

Please test the HA failover after disabling RSTP.

Terms & ConditionsAccessibility statement