Skip to main content
JesperAP
JesperAP
New Member
March 19, 2024
Question

FortiGate ethernet broken with HA

  • March 19, 2024
  • 3 replies
  • 5556 views

Hello all,

 

We recently got 2 FortiGates 100F for in our newly bought rack in a datacenter. With these 2 fortigates we also have 2 Dell EMC S4128F-ON switches.

 

When setting up the primary fortigate, everythings works fine, internet connection is working and stable, but as soon as I setup HA, the internet starts doing weird. Sometimes pinging works, sometimes it doesn't. sometimes only IPv4 addresses are pingable and sometimes only domainnames are pingable.

 

I've added a network diagram of the setup. If you need more information please let me know.



Explanation_FG_bug.png

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 19, 2024

On the ISP router side, only one of WAN port 1 and WAN port 2 is active at a time, and provide the same IP/GW address regardless which side is active over VRRP?
Not sure how the VRRP is accomplished without going through a switch.

Toshi

    JesperAP
    JesperAPAuthor
    New Member
    March 20, 2024

    Hello Toshi,

     

    I am not sure what you mean.

    As fas as I know both ports are active all the time.

    AEK
    SuperUser
    AEK
    SuperUser
    March 19, 2024

    Hi Jesper

    Do you have another FGT cluster in the same network?

    AEK
      JesperAP
      JesperAPAuthor
      New Member
      March 20, 2024

      No this is the only cluster in the network

      AEK
      SuperUser
      AEK
      SuperUser
      March 20, 2024

      Hi Jesper

      • Can you elaborate the VRRP part of the diagram?
      • Why each FGT is not connected to both ISPs? Or you mean there is a L2 switch between FGTs and ISPs? Same between FGTs and Dell servers?
      AEK
        JesperAP
        JesperAPAuthor
        New Member
        March 20, 2024

        Hello AEK,

         

        This is the ISP part, it is the same ISP. Maybe I had to draw 1 cloud with 2 lines going to both FG. Sorry

         

        eq-conf.png

         

        https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm 

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        March 20, 2024

        So, the "Customer L2 Switch(es)" in this diagram is what you are missing. Those two Equinix routers talk each other to form VRRP through the L2 connection communicating each others with .y and .z IPs. That Broadcast Domain can't be formed if you connect each to a separate FGT. And, in a-p HA, the secondary FGT would not pass/process packets although L1 on the port is up. So it would breake the VRRP and both routers think the other side is down.

         

        Bottom half would be just one of many ways to implement redundancy on the Equinix's customer side utilizing their redanduncy set up. 

        With FGT's a-p HA, those two FGTs act as one router. So you need to have the same (L2 wise) connection from the "Customer L2 Switches" into the same WAN port on both FGTs.

        Toshi

          Terms & ConditionsAccessibility statement