Skip to main content
svictor2
svictor2
New Member
September 24, 2025
Question

Fortiswitch - VRRP is not working with Standalone MCLAG-ICL

  • September 24, 2025
  • 4 replies
  • 861 views

 

I am installing Standalone Fortiswitch FS-648F using MCLAG-ICL topology, critical issues were observed with VRRP and inter-VLAN routing functionality.

FS-SW-1 & FS-SW-2 connected through Port 55 & 56 as MCLAG-ICL link and all vlans allowed. 

L2 Vlans are 10,20,30,40,50
STP enabled and priority assigned as default. 
L3 vlan created and assigned IP's with VRIP 
FS-SW-1 is Master & FS-SW-2 Backup vrrp state
from FS-SW-1 Cli I am able to ping vrip for example 172.16.10.1 . (vlan 10)
When I ping from FS-SW-2 cli, i unable to ping vrip 172.16.10.1  (vlan10)

In sw-2 mclag-icl diag command output , it shows dormant role is SW-2. 
2nd switch is not responding for vrip 172.16.10.1 arp in MCLAG-ICL

Any solution for the issue ?
Is there any limitations with Fortiswitch VRRP with MCLAG-ICL ?

4 replies

Anthony_E
Staff
Anthony_E
Staff
September 29, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
October 1, 2025

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
October 3, 2025

Hi,

 

 

To troubleshoot VRRP not working with standalone MCLAG-ICL, follow these steps:

  1. Enable VRRP Virtual MAC: Ensure that `vrrp-virtual-mac` is enabled for VRRP. This is crucial for VRRP operation.
  2. Configure VRRP Sessions: Configure two VRRP sessions on each SVI (Switched Virtual Interface). - Set VRRP priorities to ensure there is a VRRP master on each MCLAG core.
  3. Layer-3 Lookup: Verify that the layer-3 lookup for the VRRP virtual MAC address is enabled on the VRRP backup. This should be automatic.
  4. Check MCLAG and Trunk Hashing: Ensure that MCLAG and trunk hashing are correctly configured.

 

This allows ingress packets on the VRRP backup core to be routed without crossing the ICL if an appropriate route is available

Best Regards
    wjanmayka_FTNT
    Staff
    wjanmayka_FTNT
    Staff
    January 15, 2026

    Hi Anthony

    I see FS-624F/648F does not support VRRP with MCLAG topology. 
    "https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/445b932d-c593-11f0-8b43-d2943efe5b2f/FortiSwitch-7.6.5-Feature-Matrix.pdf"

    Did your configure is Active-Standby VRRP ?
    and in Feature-Matrix is VRRP Active-Active on MCLAG ? 

    Please advise how to setup FS-624F MCLAG to work with VRRP and static route. Active-Standby is OK.

    Regards,

    Wittaya J.

    quintinmorrow
    quintinmorrow
    New Member
    January 15, 2026

    I’ve seen VRRP fail in similar FortiSwitch standalone setups because it’s easy to miss how tightly it depends on the upstream FortiGate configuration. VRRP itself may look fine, but things like VLAN tagging, interface roles, or missing heartbeat traffic break it silently. Double-checking L2/L3 expectations and testing with packet captures helped me spot where the failover traffic was actually getting lost.

    wjanmayka_FTNT
    Staff
    wjanmayka_FTNT
    Staff
    January 15, 2026

    Hi,

       For me, FS-624F enable VRRP and Static route with MCLAG.

    Regards,

    Wittaya J.

    Terms & ConditionsAccessibility statement