Skip to main content
pbarbieri
pbarbieri
Visitor III
September 27, 2022
Solved

vrrp between fortinet

  • September 27, 2022
  • 2 replies
  • 15081 views

Hello Guys,

a question: I have two fortinet working in VRRP each fortinet is connected to different switch trunked with lacp. The configuration of two firewall is fine but they are at the same time master . They exchange some messages between them 224.0.0.8 (protocol 112) but nothing they remain master both. I tried to ping from one switch the physical ip address of the other but nothing . From each switch we can see only the virtual IP that is the virtual ip of the local firewall . The switches are trunked well.

I wonder if It is mandatory to use with VRRP proxy-arp configuration because I  suspect that arp do not resolve the physical IP of the firewalls connected to the other switch.

Configuration:

switch 1 connected to firewall 1

switch 2 connected to firewall 2

switch 1 and switch 2 trunked 

I checked with get info router vrrp of both everything is fine but do not resolve the arbitrage who is master who is slave, probably because they do not see each other due to some arp problem. 

What is the role of proxy-arp in vrrp in this case they can work without?

 

Thanks!!!

 

 

    Best answer by gfleming

    OK it looks like RCC_LAN is a VLAN interface. Can you confirm by doing " show full system interface RCC_LAN | grep type". 

     

    If so, this VLAN interface needs to be attached to a physical interface, such as the redundant interface. 

     

    Can you shed more light on any of the other interfaces on the FortiGate? Is there more L3 interfaces between FGT and SW? What is the nature of the "trunk" interface between the FortiGates? How does it work and how is it connected?

     

    Now, with that said, you probably do not need the VLAN interface unless you need trunking with tagged VLAN access to a downstream switch. Given what I see here there is no tagged traffic between the FGT and the switch. If RCC_LAN is the only L3 interface on the FGT, then I suggest moving the IP configuration, including VRRP, into the Redundant interface config. Or, at the very least, assigning the RCC_LAN interface to the "SW1-SW2" interface. 

     

    config system interface
      edit RCC_LAN
        set interface "SW1-SW2"
      end

    Given your use case, I would suggest leveraging FortiGate HA with SD-WAN to satisfy your requirements.

     

    With FortiGates in HA, you only have one configuration to manage. With SD-WAN you can put both your WAN interfaces (and GRE tunnels) into SD-WAN interface and do your load balancing/failover using SD-WAN. There would be no duplication of multicast traffic as there is only one logical device on the network.

    2 replies

    gfleming
    Staff
    gfleming
    Staff
    September 27, 2022

    More details on your topology are needed. How are the two switches connected together? Are they using MC-LAG or some other mechanism for sharing state? Or are they simply using a trunk port between them?

     

    The fact that you can't ping from one FGT to the other FGT tells me your downstream network topology is not adequate to support VRRP communication. You need both FGTs to be on the same broadcast domain for VRRP comms to work (224.x.X.X multicast addresses will not route between segments).

    pbarbieri
    pbarbieriAuthor
    Visitor III
    September 27, 2022

    Thank you very much for your support Graham!

    The two switches are trunked with lacp l3_l4 . I have annexed a picture:

    port 1 and 2 are in redundant configuration, only one is active (this case port 1 for fw1 and port 2 for fw 2)

    -port 1 and 2 (same vlan) of firewall 1 have a physical ip and a virtual ip

    -port 1 and 2 (same vlan) of firewall 2 have a different physical ip and same virtual ip

    -same broadcast domain

    If I remove the cable that connect the port 2 of firewall 2 with switch 2  (active in this case) o I will be able to ping from the switch 2 the physical IP address of firewall 1  this means that the switches are well trunked connected.

    the vrrp has been created between port 1-2 fw1 and port 1-2 fw2  (between active port)

    It seems that this configuration of VRRP with redundant port create some issue or some spanning tree issue or i need to remove the trunk between fw1 and fw2 ?

    thanks.

    vrrp.jpg

     

     

    gfleming
    Staff
    gfleming
    Staff
    September 27, 2022

    This is an interesting-looking topology. Before delving into the VRRP issues can I ask:

     

    - Why aren't you using FortiGate HA here? It will simplify your configuration and most likely give you the same, or better functionality.

     

    And please confirm you are using FortiGate "Redundant" interface type for port 1 and port 2? If so you need to configure the VRRP under the redundant interface. Are you configuring VRRP under the physical ports, port1 and port2? If they are bundled in redundant interface, please configure VRRP there.

     

    Also have you considered just creating LACP and have FW1 port1 and port2 in LACP connecting to SW1 and FW port1 and port2 in LACP connecting to SW2? 

    pbarbieri
    pbarbieriAuthor
    Visitor III
    September 27, 2022

    hello Graham, 

    Yes I confirm everything about you wrote, I use fortigate redundant interface for port 1 and port 2 , I have configured VRRP under the redundant interface and they are bundled in redundant interface.  I can tell you that even if the fortigate  consider the backup port as a backup ,not active, it is not disabled because I see the backup port led blinking and I am sure that  the setting of  the interfaces of my firewall 600D is well set. Only disabled the backup port the  led are switched off. I don't want that this could be the reason of some spanning tree reaction,  ports could be a backup for fortinet but not for the switches. 

    Regarding your question why I didnt use the HA. Two reason I have inherit this architecture including the configuration and second could I use HA even if the two firewall are completely different in terms of configuration and addressing? i don't want to create a clone of the first firewall but simply move the control to the second one in case of fault of the first one. Yes I confirm that this architecture suffers of something evil mistake  but still I couldnt  reach to understand possibly with your support and I appreciate  that you use your skill and time for this issue.

    gfleming
    Staff
    gfleming
    Staff
    September 27, 2022

    OK I think next best step would be for you to show the configuration of the redundant interfaces. Can you please paste output of "show system interface <redundant_int_name>" for both FW1 and FW2 here?

     

    Also please note that when interfaces are configured in redundant bundle, the layer 1 will continue to function. That is, you will see LED on the port.

     

    OK so the two Firewalls have different configurations? In which way to they differ? If they are different then I dont understand how you could leverage VRRP. Leveraging VRRP typically means each router in the VRRP group would be configured to forward traffic in the same or very similar manner. This is why I believe you could leverage FortiGate HA instead. But please share more details on how the Firewall configurations are different between each other and I can advise further.

    Terms & ConditionsAccessibility statement