FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jskrivan_FTNT
Description
This article explains how to configure VRRP between a FortiGate unit and a Cisco router.
 

Scope
FortiOS firmware version 4.0 MR3
FortiOS firmware version 5.0.x
 

Solution
VRRP can only be configured in the CLI.
 
 
FortiGate configuration:
 
config system interface 
  edit "port1"
        set vdom "root"
        set ip 192.168.40.3 255.255.255.0
        set allowaccess ping ssh http
        set type physical
        set vrrp-virtual-mac enable
            config vrrp
                edit 40
                    set vrip 192.168.40.1
                next
            end
            end
 
 
Cisco router configuration:
 
Note: For an authoritative guidance on configuration of a Cisco equipment, please refer to the product documentation of that equipment. Please note, that Fortinet Technical Support can not provide any assistance with configuration, operation and troubleshooting of a 3rd party equipment.
   
interface FastEthernet0/0
 ip address 192.168.40.2 255.255.255.0
 duplex auto
 speed auto
 vrrp 40 ip 192.168.40.1
 
When configuring VRRP, it is important to ensure Group-IDs are the same.  In the FortiGate configuration, this is the “edit 40” settings.  It is the same Group-ID, configured on the Cisco router as “vrrp 40 ip…”.  If these values do not match, VRRP will not negotiate correctly.
 
It is also important to ensure the following command is issued on the FortiGate network interface. This enables the VRRP virtual MAC address between the two devices:
 
set vrrp-virtual-mac enable
 
 
Troubleshooting:
 
The following debug command will show the error below, when the Group-IDs do not match.
 
diagnose debug application vrrpd -1
 
[vrrp_vrt_leave_master:995]: internal, vrid 40, vrip 192.168.40.1, (255 1 1)
[vrrp_vrt_goto_master:963]: internal, vrid 40, vrip 192.168.40.1, (255 1 1)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39)
[vrrp_packet_proc:1411]: cannot find vrt (11, 39) 
   <- Group-ID 39 is misconfigured on the router
 
 
Other related commands:
 
This monitors a next hop address. Should this monitoring fail, the FortiGate unit will go into a Backup State. This is similar to the track function on a Cisco router.
 
config vrrp
     edit 40
         set vrdst <ip address>
 
VRRP “preempt” and “priority” are also available:
 
config vrrp
        edit 40
            set preempt  <enable/disable>   (enabled is the default)
            set priority <1-255>            (100 is the default)
 
To display the VRRP configuration and status:
 
get router info vrrp
 
Interface: internal, primary IP address: 192.168.40.3
  UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  VRID: 40
    vrip: 192.168.40.1, priority: 255, state: MASTER
    adv_interval: 1, preempt: 1, start_time: 3
    vrdst: 0.0.0.0
 
For more details on the VRRP configuration options, please refer to the FortiOS CLI Reference guide.
 

Internal Notes
Article author: Jason Graun, Network Security Architects team
 

Contributors