Upstream HSRP Routers

Question

I've got a strange issue with upstream HSRP Routers from the ISP. I've got a single /29 virtual IP configured on my Fortigate with HA set up.

When I have Fortigate A connected to ISP router A, and Fortigate B connected to ISP router B the Internet dies.

If I connect both Fortigate to ISP Router A everything works as normal including HA failover. The same is true for ISP Router B. Only when the Fortugates are connected to seaparte Routers does the Internet die.

The ISP says they configured e0/1 and e0/2 on both Routers to be in the same L2 VLAN so in my mind this should work correctly.

If I add a dumb switch into the mix with both fortigate then the Internet works fine.

To me, the logical conclusion is that the ISP hasn't correctly configured their L2 VLAN but am I overlooking something in my config? The monitored interfaces don't trigger a failover so I know at least one thing is wrong somewhere.

Toshi_Esumi · Answer

No. If you hook up a downstream device directly to HSRP:standby router, the router needs to forward the packet to VIP, which is controlled by the active router. That doesn't happen since it's standby. You have to have a switch to share the same L2 broadcast domain for your FGTs to be able to rech both side regardless which side is active in HSRP.

Besides, there needs to be a L2 connection between those HSRP interfaces on both routers to communicate each others and decide which should become active/standby. Otherwise, both would become active/active competing each other. That's another reason there needs to be a switch.
VRRP should work in the same way.

If you want to learn how HSRP (or VRRP) work, you can search on the internet like this video.
https://www.youtube.com/watch?v=4mTKzwNBgHY

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded