Technical Tip: Understanding routing information location in a chassis-based FortiGate

wdeloraine_FTNT · ‎07-30-2024

Description

This articles describes how the routing information is populated inside a chassis-based FortiGate.

Scope

6000 and 7000 FortiGate series

Solution

Routing table entries (RIB) are handled by the daemon Zebos in FortiOS.

It is similar on a chassis-based FortiGate, except Zebos only runs on a primary FPC (for 6k) or FPM (for 7k).

Use this command to find out which worker is the primary one:

get system status | grep "Primary:"

This is the reason why the output of the command get router info routing-table all could appear incomplete for a non-primary worker.

Here's an output from a primary FPM:

get router info routing-table all
Routing table for VRF=0
O 11.1.1.1/32 [110/101] via 192.168.0.20, LAN, 01:01:13 (dynamic route in RIB)
C 83.231.212.0/24 is directly connected, WAN
C 149.5.228.0/24 is directly connected, WAN
S 172.16.10.0/24 [10/0] via 192.168.0.20, LAN (static route in RIB)
C 192.168.0.0/24 is directly connected, LAN

Below is an example of output from a non-primary FPM:

get router info routing-table all
Routing table for VRF=0
C 83.231.212.0/24 is directly connected, WAN
C 149.5.228.0/24 is directly connected, WAN
C 192.168.0.0/24 is directly connected, LAN

Only connected routes (so called kernel routes) are populated in the RIB of a non-primary FPM.

To work around this and avoid any issue in forwarding the traffic, the Forwarding table (FIB) is synced from the primary FPM to the others FPM. This process is done by the chlbd daemon.

Below is example output of the FIB on the primary FPM:

diagnose ip route list
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->11.1.1.1/32 pref=0.0.0.0 gwy=192.168.0.20 dev=129(LAN)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->83.231.212.0/24 pref=83.231.212.1 gwy=0.0.0.0 dev=130(WAN)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->149.5.228.0/24 pref=149.5.228.1 gwy=0.0.0.0 dev=130(WAN)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->172.16.10.0/24 pref=0.0.0.0 gwy=192.168.0.20 dev=129(LAN)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.0.0/24 pref=192.168.0.254 gwy=0.0.0.0 dev=129(LAN)

proto=11 means the entry has been inherited from Zebos.

Below is example output of FIB on a non-primary FPM:

FGT-7K-01 [FPM04] (root) # diagnose ip route list

tab=254 vf=0 scope=0 type=1 proto=18* prio=16777216 0.0.0.0/0.0.0.0/0->11.1.1.1/32 pref=0.0.0.0 gwy=192.168.0.20 dev=129(LAN)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->83.231.212.0/24 pref=83.231.212.1 gwy=0.0.0.0 dev=130(WAN)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->149.5.228.0/24 pref=149.5.228.1 gwy=0.0.0.0 dev=130(WAN)

tab=254 vf=0 scope=0 type=1 proto=18* prio=16777216 0.0.0.0/0.0.0.0/0->172.16.10.0/24 pref=0.0.0.0 gwy=192.168.0.20 dev=129(LAN)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.0.0/24 pref=192.168.0.254 gwy=0.0.0.0 dev=129(LAN)

The FIB entries corresponding to the Zebos IP routes have been synced to the non primary FPM using the proto 18 (HA protocol for syncing).

Technical Tip: Understanding routing information location in a chassis-based FortiGate

You are leaving our website