Solution |
The VRRP is not actively monitoring the configured IP (or subnet). The VRRP is relying just on the information on whether there is a valid route to the destination.
To actively monitor the IP the link-monitor feature will be used.
The VRRP should be used to follow the default route and the default route is kept in case the link monitor fails.
Configuration on FGT-A:
config system interface edit "wan1" set ip 198.51.100.2 255.255.255.0 next edit "lan1" set ip 10.0.0.252 255.255.255.0 config vrrp edit 100 set vrgrp 100 set vrip 10.0.0.254 set priority 200 set vrdst 1.1.1.1 set vrdst-priority 10 set ignore-default-route enable next end next end
config router static edit 1 set gateway 198.51.100.1 set device "wan1" set link-monitor-exempt enable next edit 2 set dst 1.1.1.1 255.255.255.255 set gateway 198.51.100.1 set device "wan1" next end
config system link-monitor edit "monitor-vrrp-destination" set srcintf "wan1" set server "1.1.1.1" next end
Configuration on FGT-B:
config system interface edit "wan1" set ip 203.0.113.2 255.255.255.0 next edit "lan1" set ip 10.0.0.253 255.255.255.0
config vrrp edit 100 set vrgrp 100 set vrip 10.0.0.254 next end next end
config router static edit 1 set gateway 203.0.113.1 set device "wan1" next end
Troubleshooting:
FGT-A # diagnose sys link-monitor status
Link Monitor: monitor-vrrp-destination, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jan 1 00:00:00 1970 Source interface: wan1 (4) Interval: 500 ms Peer: 1.1.1.1(1.1.1.1) Source IP(198.51.100.2) Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1) protocol: ping, state: alive Latency(Min/Max/Avg): 1.297/3.455/1.418 ms Jitter(Min/Max/Avg): 0.000/2.143/0.195 Packet lost: 0.000% Number of out-of-sequence packets: 0 Fail Times(0/5) Packet sent: 4098, received: 2415, Sequence(sent/rcvd/exp): 4099/4099/4100
FGT-A # get router info vrrp Interface: lan1, primary IP address: 10.0.0.252 UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (0:0:1) VRRP master number: 1 VRID: 100 verion: 2 vrip: 10.0.0.254, priority: 200 (200,10), state: MASTER adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3 master_adv_interval: 100, accept: 1 vrmac: 90:6c:ac:3a:a9:b1 vrdst: 1.1.1.1 vrgrp: 100
FGT-A # get router info routing-table database
Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1 S *> 1.1.1.1/32 [10/0] via 198.51.100.1, wan1 C *> 10.0.0.0/24 is directly connected, lan1 C *> 10.0.0.254/32 is directly connected, lan1 C *> 198.51.100.0/24 is directly connected, wan1
FGT-B # get router info vrrp Interface: lan1, primary IP address: 10.0.0.253 UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (0:0:1) VRRP master number: 0 VRID: 100 verion: 2 vrip: 10.0.0.254, priority: 100 (100,0), state: BACKUP adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3 master_adv_interval: 100, accept: 1 vrmac: 90:6c:ac:66:36:90 vrdst: vrgrp: 100
FGT-B # get router info routing-table database
Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1 C *> 10.0.0.0/24 is directly connected, lan1 C *> 203.0.113.0/24 is directly connected, wan1
After failover:
FGT-A # diagnose sys link-monitor status
Link Monitor: monitor-vrrp-destination, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jan 1 00:00:00 1970 Source interface: wan1 (4) Interval: 500 ms Peer: 1.1.1.1(1.1.1.1) Source IP(198.51.100.2) Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1) protocol: ping, state: die Packet lost: 98.000% Number of out-of-sequence packets: 0 Recovery times(0/5) Fail Times(4/5) Packet sent: 2106, received: 1522, Sequence(sent/rcvd/exp): 2107/2007/2008
FGT-A # get router info vrrp Interface: lan1, primary IP address: 10.0.0.252 UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (0:0:1) VRRP master number: 1 VRID: 100 verion: 2 vrip: 10.0.0.254, priority: 10 (200,10), state: BACKUP adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3 master_adv_interval: 100, accept: 1 vrmac: 90:6c:ac:3a:a9:b1 vrdst: 1.1.1.1 vrgrp: 100
FGT-A # get router info routing-table database
Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1 S 1.1.1.1/32 [10/0] via 198.51.100.1, wan1 inactive C *> 10.0.0.0/24 is directly connected, lan1 C *> 198.51.100.0/24 is directly connected, wan1
FGT-B:
FGT-B # get router info vrrp Interface: lan1, primary IP address: 10.0.0.253 UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (0:0:1) VRRP master number: 1 VRID: 100 verion: 2 vrip: 10.0.0.254, priority: 100 (100,0), state: MASTER adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3 master_adv_interval: 100, accept: 1 vrmac: 90:6c:ac:66:36:90 vrdst: vrgrp: 100
FGT-B # get router info routing-table database
Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info
S *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1 C *> 10.0.0.0/24 is directly connected, lan1 C *> 10.0.0.254/32 is directly connected, lan1 C *> 203.0.113.0/24 is directly connected, wan1
From FortiOS v7.6.0, the VRRP Hello interval can be configured in milliseconds:
config system interface edit <port> config vrrp edit 1 set vrip <IP address> set adv-interval <interval value, in milliseconds (250 - 255000)> next end next end
Refer to for more information.
Related articles:
|