FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Article Id 214419
Description This article describes how to configure VRRP with the link-monitor with just static routes.
Scope

The objective is for the master FortiGate (FGT-A) to actively monitor an IP (use 1.1.1.1) and in case the IP is unreachable switch to the backup FortiGate (FGT-B).

The network diagram:

Network diagramNetwork diagram

 

Solution

The VRRP is not actively monitoring the configured IP (or subnet). The VRRP is relying just on the information on whether there is a valid route to the destination.

To actively monitor the IP the link-monitor feature will be used.

The VRRP should be used to follow the default route and the default route is kept in case the link monitor fails.

 

Configuration on FGT-A:

 

config system interface
    edit "wan1"
        set ip 198.51.100.2 255.255.255.0
    next
    edit "lan1"
        set ip 10.0.0.252 255.255.255.0
        config vrrp
            edit 100
                set vrgrp 100
                set vrip 10.0.0.254
                set priority 200
                set vrdst 1.1.1.1
                set vrdst-priority 10
                set ignore-default-route enable
            next
        end
    next
end
config router static
    edit 1
        set gateway 198.51.100.1
        set device "wan1"
        set link-monitor-exempt enable
    next
    edit 2
        set dst 1.1.1.1 255.255.255.255
        set gateway 198.51.100.1
        set device "wan1"
    next
end
config system link-monitor
    edit "monitor-vrrp-destination"
        set srcintf "wan1"
        set server "1.1.1.1"
    next
end

 

Configuration on FGT-B:

 

config system interface
    edit "wan1"
        set ip 203.0.113.2 255.255.255.0
    next
    edit "lan1"
        set ip 10.0.0.253 255.255.255.0
        config vrrp
            edit 100
                set vrgrp 100
                set vrip 10.0.0.254
            next
        end
    next
end
config router static
    edit 1
        set gateway 203.0.113.1
        set device "wan1"
    next
end

 

Troubleshooting: 

 

FGT-A # diagnose sys link-monitor status

Link Monitor: monitor-vrrp-destination, Status: alive, Server num(1), Flags=0x1 init, Create time: Thu Jan 1 00:00:00 1970
Source interface: wan1 (4)
Interval: 500 ms
  Peer: 1.1.1.1(1.1.1.1)
        Source IP(198.51.100.2)
        Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1)
        protocol: ping, state: alive
                Latency(Min/Max/Avg): 1.297/3.455/1.418 ms
                Jitter(Min/Max/Avg): 0.000/2.143/0.195
                Packet lost: 0.000%
                Number of out-of-sequence packets: 0
                Fail Times(0/5)
                Packet sent: 4098, received: 2415, Sequence(sent/rcvd/exp): 4099/4099/4100

FGT-A #  get router info vrrp
Interface: lan1, primary IP address: 10.0.0.252
  UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  HA mode: master (0:0:1) VRRP master number: 1
  VRID: 100 verion: 2
    vrip: 10.0.0.254, priority: 200 (200,10), state: MASTER
    adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
    master_adv_interval: 100, accept: 1
    vrmac: 90:6c:ac:3a:a9:b1
    vrdst: 1.1.1.1
    vrgrp: 100

FGT-A # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1
S    *> 1.1.1.1/32 [10/0] via 198.51.100.1, wan1
C    *> 10.0.0.0/24 is directly connected, lan1
C    *> 10.0.0.254/32 is directly connected, lan1
C    *> 198.51.100.0/24 is directly connected, wan1

FGT-B # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.253
  UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  HA mode: master (0:0:1) VRRP master number: 0
  VRID: 100 verion: 2
    vrip: 10.0.0.254, priority: 100 (100,0), state: BACKUP
    adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
    master_adv_interval: 100, accept: 1
    vrmac: 90:6c:ac:66:36:90
    vrdst:
    vrgrp: 100

FGT-B # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1
C    *> 10.0.0.0/24 is directly connected, lan1
C    *> 203.0.113.0/24 is directly connected, wan1

 

After failover:

 

FGT-A # diagnose sys link-monitor status

Link Monitor: monitor-vrrp-destination, Status: die, Server num(1), Flags=0x9 init, Create time: Thu Jan 1 00:00:00 1970
Source interface: wan1 (4)
Interval: 500 ms
  Peer: 1.1.1.1(1.1.1.1)
        Source IP(198.51.100.2)
        Route: 198.51.100.2->1.1.1.1/32, gwy(198.51.100.1)
        protocol: ping, state: die
                Packet lost: 98.000%
                Number of out-of-sequence packets: 0
                Recovery times(0/5) Fail Times(4/5)
                Packet sent: 2106, received: 1522, Sequence(sent/rcvd/exp): 2107/2007/2008

FGT-A #  get router info vrrp
Interface: lan1, primary IP address: 10.0.0.252
  UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  HA mode: master (0:0:1) VRRP master number: 1
  VRID: 100 verion: 2
    vrip: 10.0.0.254, priority: 10 (200,10), state: MASTER
    adv_interval: 1, preempt: 1, ignore_dft: 1 start_time: 3
    master_adv_interval: 100, accept: 1
    vrmac: 90:6c:ac:3a:a9:b1
    vrdst: 1.1.1.1
    vrgrp: 100

FGT-A # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [10/0] via 198.51.100.1, wan1
S       1.1.1.1/32 [10/0] via 198.51.100.1, wan1 inactive
C    *> 10.0.0.0/24 is directly connected, lan1
C    *> 198.51.100.0/24 is directly connected, wan1


FGT-B:
FGT-B # get router info vrrp
Interface: lan1, primary IP address: 10.0.0.253
  UseVMAC: 0, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0
  HA mode: master (0:0:1) VRRP master number: 1
  VRID: 100 verion: 2
    vrip: 10.0.0.254, priority: 100 (100,0), state: MASTER
    adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3
    master_adv_interval: 100, accept: 1
    vrmac: 90:6c:ac:66:36:90
    vrdst:
    vrgrp: 100

FGT-B # get router info routing-table database

Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [10/0] via 203.0.113.1, wan1
C    *> 10.0.0.0/24 is directly connected, lan1
C    *> 10.0.0.254/32 is directly connected, lan1
C    *> 203.0.113.0/24 is directly connected, wan1

 

Related articles:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-VRRP-configuration-and-debug/ta-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-VRRP-Active-failover-with-VRDST-with-black...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Link-monitor/ta-p/197504

Contributors