Skip to main content
Seferian
Seferian
New Member
May 26, 2021
Question

Help needed with FG 100F - HA - A-P behind VRRP routers

  • May 26, 2021
  • 2 replies
  • 6388 views

Hai all. After reading a lot on these forums helping me on the way with Fortinet producs, I have a problem that might be really simple but I don't see it. We have 2 FG100F in HA A-P running behind two Cisco routers in VRRP (ISP routers). I have configured the WAN1 interface with the IP's provided. So far so good. HA works fine when I pull the WAN interface on the main FG. However when the active VRRP router fails the WAN does not go down so no failover occurs. This mean no redundancy. 

 

What is the best way to setup the FG's to the VRRP routers? I've used SD-WAN in other locations where we have redundant ISP's. That works like a charm. However for this main location we have 1 ISP with a redundant 200mb's line.

 

At the moment the setup is:

 

Router A      VRRP       Router B

    |                                |

FG100 A ===HA=== FG100 B

 

I need to find a way to connect both FG's to both Routers while keeping the IP information and Gateway the same. 

Hopefully you can help me out. 

 

    2 replies

    jorge_americo
    jorge_americo
    New Member
    May 26, 2021

    are you using VLAN ? or interface untagged?

    Seferian
    SeferianAuthor
    New Member
    May 26, 2021

    jorge.americo wrote:

    are you using VLAN ? or interface untagged?

    These interfaces are untagged. 

    jorge_americo
    jorge_americo
    New Member
    May 26, 2021

    Seferian wrote:

    jorge.americo wrote:

    are you using VLAN ? or interface untagged?

    These interfaces are untagged. 

     

    I believe that if you do the configuration with VLAN you will not have this problem, as there will be knowledge of the L2 path, even if FGT_A is active and Router_B is with VRRP active.

    Router A ========= Router B    |                                      | FG100 A === HA === FG100 B

    Or you can also try to understand the reason why the VRRP is being changed, without dropping the interface.

    POMA
    POMA
    New Member
    December 3, 2025

    @Seferian , was this solution implemented and tested (creating a hardware switch on the FortiGate and connecting both routers to this switch?)

     

    Example

    - port 19+20 = hardware switch

    - Fortigate A port 19 goes to ISP router 1 port x, port 20 goes to ISP router 2 port x

    - Fortigate B port 19 goes to ISP router 1 port y, port 20 goes to ISP router 2 port y

     

    I think it should work, but an issue could be that:

    - router 1 + router 2 can discover each other via the switch of FortiGate A

    - router 1 + router 2 can also (at the same time) discover each other via the switch of FortiGate B 

    > will this affect the VRRP

    It seems a VRRP loop is possible.  I did a test, connected 2 laptops on the secondary Fortigate (port 19+20) and both could still ping each other.  Pings towards the FortiGate were dropped (that is correct, because it's still the secondary)

    Terms & ConditionsAccessibility statement