Skip to main content
ede_pfau
SuperUser
ede_pfau
SuperUser
August 31, 2016
Solved

Synchronizing FGT HA with Cisco VRRP

  • August 31, 2016
  • 2 replies
  • 32342 views

hello all,

 

I've got a pair of FG-200B running v4.3.18 in A-P HA mode. Each cluster member is at a different location, HA links are across a dedicated line. On each site, there is one Cisco access router (19xx) in front of the FGT providing WAN access. These routers form a VRRP pair. (No VRRP for the FGTs as config sync is requested.)

 

Now, when the WAN line on one site closes down the routers fail over in about 15 s. But, as the link status of the FGT WAN port does not change, the FGTs do not fail over. So I configured a pingserver (gwdetect) on the FGT which is the next hop router.

 

That doesn't work as expected though. When one WAN line is down, the FGT still can reach the next hop router because the Ciscos have failed over, providing internet access across the HA link line. That's a catch22 I guess.

 

One solution would be that the router, when detecting it has to fail over, pulls it's port to the FGT down. FGT would sense a link failure and fail over as well.

 

Question now is: how is that configured on a Cisco router? Is it common, or arcane? Or do you have other suggestions how to synchronize the VRRP failover with a HA failover?

 

Any input dearly appreciated.

    Best answer by MrSinners

    I already had a feeling that was the main reason for VRRP, the WAN side of the routers.. Maybe you can have a look at: https://supportforums.cisco.com/discussion/10794236/shut-interface-if-no-ping-response-using-ip-sla-eem

    They combine IP SLA tracking with an EEM script to bring an interface down. Pay extra attention to posts 2 and 3, if you want to use this it requires some editing for your environment.

    2 replies

    pcraponi
    pcraponi
    New Member
    August 31, 2016

    Ede,

     

    Have you looked at http://kb.fortinet.com/kb/documentLink.do?externalID=FD35173 ?

     

    Fortigate will faillover if the gwdetect fails. When you configure "pingserver-monitor-interface", FortiOS will use this interface to reach the gwdetect instead HA link.

     

    Regards,

    Paulo R, NSE8

     

    ede_pfau
    SuperUser
    ede_pfauAuthor
    SuperUser
    August 31, 2016

    Paulo,

    thanks for your hint.

     

    The pingserver will always use the FGT's WAN port, following the default route, so no choice here. To clarify I've redrawn the picture.

     

    The switch on the front and back of the dedicated line is in fact a switch module inserted into the router, 4 ports. One is used for the line, two for redundant HA connections (not drawn here), one is unused.

    As you can see when the right router fails over all internet bound traffic is led across the dedicated line and routed by the left router. But the firewall on the right still is working and will not notice that it's WAN connection has switched sides.

     

    I asked the Cisco supporter of the ISP if we could block ICMP on that blue line, by static filter or ACL. He denied this.

     

    So a second (weird) idea I had was to put another FGT in Transparent Mode into the blue line, blocking ICMP. To achieve device failover for this also, I'd configure an extra VDOM on the main FGT, or rather on both because of HA.

    But this is clumsy and need a lot of documentation.

     

    Thus my search for something in Cicso IOS like there is in FortiOS, pulling down an interface (link) if a failover is situation detected. In IOS, it's called 'tracking', and I bet there is something like this already.

    emnoc
    emnoc
    New Member
    August 31, 2016

     

    The pingserver will always use the FGT's WAN port, following the default route, so no choice here. To clarify I've redrawn the picture.

     

     

    Hmm. if we are talking link-monitors than you  specify  the port and  source-ip . This doesn't really offer anything for the OP but figure I would correct that statement.

    hervaltelecom
    hervaltelecom
    New Member
    October 1, 2018

    Have you had any help in CISCO forums?

    emnoc
    emnoc
    New Member
    October 2, 2018

    You do know this was posted over  2 years ago ;)

     

    ede_pfau
    SuperUser
    ede_pfauAuthor
    SuperUser
    October 2, 2018

    Yet...still unsolved!

     

    It's a shame, and unnecessary as well. Pulling the internal link down in the event of failover would be easy and reasonable. The ISP just doesn't move a finger to solve this.

    After such a long time, my customer is planning to reunite the cluster units in one place, that is, change a whole bit. I still feel the scenario (HA cluster with external VRRP routers in front) is not that extraordinary. I would like to solve this but any solutioin has to be on the FGT side only.

     

    Thanks for keeping an eye on this, anyway. Anybody else running this setup?

    Terms & ConditionsCookie settingsAccessibility statement