Skip to main content
nstp11
nstp11
New Member
July 5, 2024
Question

VRRP ISSUE.. unexpected split-brain situation

  • July 5, 2024
  • 3 replies
  • 5028 views

hi all

 

we have an issue with two Fortinet firewall in production mode (Fortinet A and Fortinet B).

 

We followed these manuals:

 

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPFailover.htm
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPEx1.htm
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPEx2.htm

 

and configuring priority 255 in both routers (Fortinet A and Fortinet B) leads into a split-brain situation. can someone please help us with this issue and explain why this behavior?

3 replies

ebilcari
Staff
ebilcari
Staff
July 5, 2024

Priority should not be set the same for both nodes, try to change the priority of the secondary to a lower value like 100.

Emirjon
    nstp11
    nstp11Author
    New Member
    July 5, 2024

    hi, thanks for you quick answer. we already tried.

     

    setting priority to 100 in both nodes NO split-brain situation.

     

    Fortinet A --> Priority 100
    Fortinet B --> Priority 100
    =

    No split-brain

     

    Why I don't get the same behavior with priority 255?

    ebilcari
    Staff
    ebilcari
    Staff
    July 5, 2024

    It should be related to the preempt logic, the node that has 255 will not give up to the role.
    I think it's mentioned here: VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal).

    Emirjon
      nstp11
      nstp11Author
      New Member
      July 8, 2024

      following setup leads into another split-brain situation.. how to solve it?

       

      vip for fortinet A and fortinet B is: 10.0.0.1

       

      fortinet A:

          NIC_IP: 10.0.0.1
          Priority: 100 (with the command: set priority 100)

      fortinet B:

          NIC_IP: 10.0.0.2
          Priority: 255 (with the command: set priority 255)

       

       

       

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      July 8, 2024

      Show us the output of "get router info vrrp" on the FGT and the same output of an equivalent debug command on the other router.

      Oh, actually those are two FGTs. I thought you were doing VRRP with another router.

      Toshi

        nstp11
        nstp11Author
        New Member
        July 10, 2024

        hello

        >> the same output of an equivalent debug command on the other router

        I can't concatenate that - I'll ask to a collegue but he's on holidays this month.


        >> Show us the output of "get router info vrrp" on the FGT

        ok I send you here fortinet output

        Interface: port3, primary IP address: 10.0.0.1

        UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0

        HA mode: master (0:1)

        VRID: 12 version: 3

        vrip: 10.0.0.1, priority: 255, effective priority: 100, state: SLAVE

        adv_interval: 1, preempt: 0, ignore_dft: 0, start_time: 1

        master_adv_interval: 100, v3_as_v2: 1, accept: 1

        vrmac: 00:00:5e:00:01:12


        we need help we are in production mode and don't know how to solve this.. can you help us today please?

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        July 10, 2024

        You configured in a wrong way. Priority 255 is the owner of the VRIP(10.0.0.1) and it would never give up the master role as @ebilcari mentioned as long as it's alive. The other router (FGT-B) has to have priority (1-254) to backup the master when it dies.
        So, swap the priorities or change the VRIP to 10.0.0.2 then it should work.

        Kind a similar discussion about Cisco:
        https://community.cisco.com/t5/routing/can-vrrp-virtual-ip-be-configured-with-same-ip-address-as/td-p/3948711

        Toshi

          Terms & ConditionsAccessibility statement