Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: VRRP - Active failover with VRDST w...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how VRRP is able to monitor and check if a subnet is unreachable, decrease priority of the current route master so new route master can be elected.
Scope
Solution
In the following scenario the subnet 8.8.8.8/32 is monitored in VRRP and is reachable via site to site VPN.
- There are 2 static routes for 8.8.8.8/32.
- One with destination of VPN interface
- The other as a blackhole route.
If the VPN goes down, the blackhole route is installed and priority of VRRP route master is decreased.
This article describes how VRRP is able to monitor and check if a subnet is unreachable, decrease priority of the current route master so new route master can be elected.
Scope
FortiGate does
not use active ping monitor to determine if subnet is reachable. VRRP on a FortiGate checks the kernel table (get router info
kernel) for a matching entry.
- A situation can occour where the default route is returned as the best route for a monitored
subnet.
- In this case VRRP never decreases priority, to mitigate this a blackhole route.
- When dynamic routing or static routing removes a route, the
blackhole route is installed and the kernel will announce to VRRP that
monitored subnet is not reachable.
Solution
In the following scenario the subnet 8.8.8.8/32 is monitored in VRRP and is reachable via site to site VPN.
- There are 2 static routes for 8.8.8.8/32.
- One with destination of VPN interface
- The other as a blackhole route.
If the VPN goes down, the blackhole route is installed and priority of VRRP route master is decreased.
config system interface
edit "wan2"
set vdom "root"
set ip 10.25.4.158 255.255.240.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set device-identification enable
set fortiheartbeat enable
set endpoint-compliance enable
config vrrp
edit 1
set vrgrp 1
set vrip 10.25.4.159
set priority 150
set vrdst 8.8.8.8 <-- Monitored subnet
set vrdst-priority 50 <-- priority if subnet is unreachable
next
end
set role lan
set snmp-index 4
next
# show firewall addrgrp site2site_remote
config firewall addrgrp
edit "site2site_remote"
set uuid 56ec12bc-4ef5-51e9-20a8-fc0d03474032
set member "site2site_remote_subnet_1"
set comment "VPN: site2site (Created by VPN wizard)"
set allow-routing enable
next
end
# show firewall address site2site_remote_subnet_1
config firewall address
edit "site2site_remote_subnet_1"
set uuid 56e0d67c-4ef5-51e9-a908-b7caf71336be
set allow-routing enable
set subnet 8.8.8.8 255.255.255.255
next
end
# show router static 4
config router static
edit 4
set device "site2site"
set comment "VPN: site2site (Created by VPN wizard)"
set dstaddr "site2site_remote"
nextend
# show router static 5
config router static
edit 5
set distance 254
set comment "VPN: site2site (Created by VPN wizard)"
set blackhole enable
set dstaddr "site2site_remote"
next
end
# get router info vrrp
Interface: wan2, primary IP address: 10.25.4.158
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:1) VRRP master number: 1
VRID: 1 verion: 2
vrip: 10.25.4.159, priority: 150 (150,50), state: MASTER <<< Priority is 150
adv_interval: 1, preempt: 1, start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:b8:4e:39
vrdst: 8.8.8.8
vrgrp: 1
# get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 8.8.8.8/32
Known via "static", distance 254, metric 0
directly connected, Null
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0, best
* directly connected, site2site
The following shows the kernel routing table when VPN is down:
# get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 8.8.8.8/32
Known via "static", distance 254, metric 0, best
* directly connected, Null
Routing entry for 8.8.8.8/32
Known via "static", distance 10, metric 0
directly connected, site2site inactive
# get router info vrrp
Interface: wan2, primary IP address: 10.25.4.158
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:1) VRRP master number: 1
VRID: 1 verion: 2
vrip: 10.25.4.159, priority: 50 (150,50), state: Slave <<< Priority of the member is decreased
adv_interval: 1, preempt: 1, start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:b8:4e:39
vrdst: 8.8.8.8
vrgrp: 1
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.