Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎02-19-2023 10:04 PM Edited on ‎02-26-2025 06:06 AM By Community Manager

Article Id 246348

Technical Tip: How to check VRRP sessions and event logs

Description

This article describes that in some scenarios, it is necessary to check the session details of VRRP (Virtual Router Redundancy Protocol) to investigate further issues.
Scope

FortiGate.
Solution

To investigate VRRP sessions in FortiGate, use the CLI commands below to investigate VRRP further sessions:

 

FGT # diagnose sys session list | grep proto=112 -A 15

 

Example:

 

FGT # diagnose sys session list | grep proto=112 -A 15

 

session info: proto=112 proto_state=00 duration=599 expire=4 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log dirty local may_dirty
statistic(bytes/packets/allow_err): org=160/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=22->0/30->22 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.15.45.45:0->224.0.0.18:0(0.0.0.0:0)
hook=post dir=reply act=noop 224.0.0.18:0->10.15.45.45:0(0.0.0.0:0)
src_mac=15:15:15:00:01:04
misc=0 policy_id=95 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003bf tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
--
session info: proto=112 proto_state=00 duration=599 expire=4 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log dirty local may_dirty
statistic(bytes/packets/allow_err): org=160/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=19->0/30->19 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.15.65.45:0->224.0.0.18:0(0.0.0.0:0)
hook=post dir=reply act=noop 224.0.0.18:0->10.15.65.45:0(0.0.0.0:0)
src_mac=15:15:15:45:01:01
misc=0 policy_id=95 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003ba tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
--
session info: proto=112 proto_state=00 duration=599 expire=4 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log dirty local may_dirty
statistic(bytes/packets/allow_err): org=160/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=5->0/30->5 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.15.61.45:0->224.0.0.18:0(0.0.0.0:0)
hook=post dir=reply act=noop 224.0.0.18:0->10.15.61.45:0(0.0.0.0:0)
src_mac=15:15:15:45:01:09
misc=0 policy_id=95 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003bd tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
--
session info: proto=112 proto_state=00 duration=599 expire=4 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log dirty local may_dirty
statistic(bytes/packets/allow_err): org=160/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=26->0/30->26 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.15.64.55:0->224.0.0.18:0(0.0.0.0:0)
hook=post dir=reply act=noop 224.0.0.18:0->10.15.64.55:0(0.0.0.0:0)
src_mac=15:15:15:45:01:05
misc=0 policy_id=95 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003c2 tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
--
session info: proto=112 proto_state=00 duration=599 expire=3 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=log dirty local may_dirty
statistic(bytes/packets/allow_err): org=160/4/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->in, reply out->post dev=10->0/30->10 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 15.15.15.15:0->224.0.0.18:0(0.0.0.0:0)
hook=post dir=reply act=noop 224.0.0.18:0->15.15.15.15:0(0.0.0.0:0)
misc=0 policy_id=95 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000003c4 tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local

 

For Event Logs.

 

Sample Event log:

 

date=2024-10-15 time=14:23:45 logid=27001 type=event subtype=router level=information devid=FGT1234567890 vd=root eventtime=1697383425 tz=UTC logdesc="VRRP state changed" msg="VRRP state changed from BACKUP to MASTER on interface port1"

 

For more information about this event log, refer to the following documentation:

27001 - LOG_ID_VRRP_STATE_CHG | FortiGate / FortiOS 7.4.7

 

To view logs via the CLI, refer to the following documentation:

Troubleshooting Tip: Viewing FortiGate log entries from the CLI

 

For VRRP configuration and troubleshooting, refer to the following documentation:

Technical Tip: FortiGate VRRP configuration and debug
3720
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.