FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Article Id 214419
Description This article describes how to configure VRRP with the link-monitor with just static routes.
Scope

The objective is for the master FortiGate (FGT-A) to actively monitor an IP (use 1.1.1.1) and in case the IP is unreachable switch to the backup FortiGate (FGT-B).

 

The network diagram:

 

Network diagramNetwork diagram

 

Solution

The VRRP is not actively monitoring the configured IP (or subnet). The VRRP is relying just on the information on whether there is a valid route to the destination.

To actively monitor the IP the link-monitor feature will be used.

The VRRP should be used to follow the default route and the default route is kept in case the link monitor fails.

 

Configuration on FGT-A:

 

config system interface
    edit "wan1"
        set ip 198.51.100.2 255.255.255.0
    next
        edit "lan1"
            set ip 10.0.0.252 255.255.255.0
config vrrp
    edit 100
        set vrgrp 100
        set vrip 10.0.0.254
        set priority 200
        set vrdst 1.1.1.1
        set vrdst-priority 10
        set ignore-default-route enable
    next
end
next
end


config router static
    edit 1
        set gateway 198.51.100.1
        set device "wan1"
        set link-monitor-exempt enable
    next
        edit 2
            set dst 1.1.1.1 255.255.255.255
            set gateway 198.51.100.1
            set device "wan1"
        next
    end


config system link-monitor
    edit "monitor-vrrp-destination"
        set srcintf "wan1"
        set server "1.1.1.1"
    next
end

 

Configuration on FGT-B:

 

config system interface
    edit "wan1"
        set ip 203.0.113.2 255.255.255.0
    next
        edit "lan1"
            set ip 10.0.0.253 255.255.255.0


config vrrp
    edit 100
        set vrgrp 100
        set vrip 10.0.0.254
    next
end
next
end


config router static
    edit 1
        set gateway 203.0.113.1
        set device "wan1"
    next
end

 

Troubleshooting: 

 

FGT-A # diagnose sys link-monitor status

Link Monitor: monitor-vrrp-destination, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jan 1 00:00:00 1970
Source interface: wan1 (4)
Interval: 500 ms
Peer: 1.1.1.1(1.1.1.1)
Source IP(198.51.100.2)
Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1)
protocol: ping, state: alive
Latency(Min/Max/Avg): 1.297/3.455/1.418 ms
Jitter(Min/Max/Avg): 0.000/2.143/0.195
Packet lost: 0.000%
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 4098, received: 2415, Sequence(sent/rcvd/exp): 4099/4099/4100

FGT-A # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.252
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 1
VRID: 100 verion: 2
vrip: 10.0.0.254, priority: 200 (200,10), state: MASTER
adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:3a:a9:b1
vrdst: 1.1.1.1
vrgrp: 100

FGT-A # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1
S *> 1.1.1.1/32 [10/0] via 198.51.100.1, wan1
C *> 10.0.0.0/24 is directly connected, lan1
C *> 10.0.0.254/32 is directly connected, lan1
C *> 198.51.100.0/24 is directly connected, wan1

FGT-B # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.253
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 0
VRID: 100 verion: 2
vrip: 10.0.0.254, priority: 100 (100,0), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:66:36:90
vrdst:
vrgrp: 100

FGT-B # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1
C *> 10.0.0.0/24 is directly connected, lan1
C *> 203.0.113.0/24 is directly connected, wan1

 

After failover:

 

FGT-A # diagnose sys link-monitor status

Link Monitor: monitor-vrrp-destination, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jan 1 00:00:00 1970
Source interface: wan1 (4)
Interval: 500 ms
Peer: 1.1.1.1(1.1.1.1)
Source IP(198.51.100.2)
Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1)
protocol: ping, state: die
Packet lost: 98.000%
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(4/5)
Packet sent: 2106, received: 1522, Sequence(sent/rcvd/exp): 2107/2007/2008

FGT-A # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.252
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 1
VRID: 100 verion: 2
vrip: 10.0.0.254, priority: 10 (200,10), state: BACKUP
adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:3a:a9:b1
vrdst: 1.1.1.1
vrgrp: 100

FGT-A # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1
S 1.1.1.1/32 [10/0] via 198.51.100.1, wan1 inactive
C *> 10.0.0.0/24 is directly connected, lan1
C *> 198.51.100.0/24 is directly connected, wan1

 

FGT-B:

 

FGT-B # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.253
UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
HA mode: master (0:0:1) VRRP master number: 1
VRID: 100 verion: 2
vrip: 10.0.0.254, priority: 100 (100,0), state: MASTER
adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 90:6c:ac:66:36:90
vrdst:
vrgrp: 100

FGT-B # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
> - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1
C *> 10.0.0.0/24 is directly connected, lan1
C *> 10.0.0.254/32 is directly connected, lan1
C *> 203.0.113.0/24 is directly connected, wan1

 

From FortiOS v7.6.0, the VRRP Hello interval can be configured in milliseconds:

 

config system interface
    edit <port>
        config vrrp
            edit 1
                set vrip <IP address>
                set adv-interval <interval value, in milliseconds (250 - 255000)>
            next
        end
    next
end

 

Refer to the documentation for more information.

 

Related articles: