Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aadenola
Staff
Staff

Created on ‎07-18-2022 08:55 AM Edited on ‎08-05-2025 01:39 PM By Staff & Editor

Article Id 217784

Technical Tip: VRRP failover for dynamic route using Link Monitor (update-cascade-interface enable)

Description

This article describes how to use the update cascade interface for VRRP failover.

 

VRRP using the VDST with update-static-route does not failover when using a dynamic route, and it is expected, as the command 'update-static-route' only works for static routes.

 

When the link monitor fails, it removes that static route from the routing table, which in turn removes the matching entry from the kernel table.

 

With the route learnt through BGP, the link monitor with 'update-static-route' enabled is not able to remove the route from the routing table when the link monitor fails, so the VRRP will not failover based on VDST with 'update-static-route'.
Scope

FortiGate, VRRP (Virtual Router Redundancy Protocol).
Solution

VRRP uses the 'update-cascade-interface' on link monitor instead of the 'update-static-route'.

When monitoring a server using the link monitor, instead of removing the route, bring down an interface where VRRP is configured when the link monitor status state goes from alive to die.

 

Bringing down the interface on which VRRP is configured causes a re-election of the Master VRRP.

 

Configuration.

 

show system  link-monitor

 

config system link-monitor

    edit "1"

        set srcintf "port4"

        set server "8.8.8.8"

        set gateway-ip 192.168.44.1

        set update-static-route disable

        set update-cascade-interface enable

    next

end

 

config system interface

    edit "port4"

        set vdom "root"

        set ip 192.168.44.111 255.255.255.0

        set fail-detect enable

        set fail-detect-option detectserver

        set fail-alert-method link-down

        set fail-alert-interfaces "port3"

        set type physical

        set snmp-index 4

    next

end

 

show system  interface port3

 

config system interface

    edit "port3"

        set vdom "root"

        set ip 192.168.33.111 255.255.255.0

        set type physical

        set vrrp-virtual-mac enable

            config vrrp

                edit 1

                    set vrip 192.168.33.1

                    set priority 200

                    set vrdst 8.8.8.8

                    set vrdst-priority 3

                next

            end

        set snmp-index 3

    next

end

 

Link monitor status shows that the state is ALIVE.

 

diagnose sys link-monitor status

Link Monitor: 1, Status: alive, Server num(1), Flags=0x1 init, Create time: Fri Jul 15 17:15:15 2022

Source interface: port4 (6)

Gateway: 192.168.44.1

Interval: 500 ms

  Peer: 8.8.8.8(8.8.8.8)

        Source IP(192.168.44.111)

        Route: 192.168.44.111->8.8.8.8/32, gwy(192.168.44.1)

        protocol: ping, state: alive

                Latency(Min/Max/Avg): 17.180/34.532/20.473 ms

                Jitter(Min/Max/Avg): 0.084/16.354/3.016

                Packet lost: 41.000%

                Number of out-of-sequence packets: 0

                Fail Times(0/5)

                Packet sent: 677, received: 59, Sequence(sent/rcvd/exp): 678/678/679

 

VRRP command showing that the device is elected as the Master.

 

get router info vrrp

Interface: port3, primary IP address: 192.168.33.111

  UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1

  HA mode: primary (0:0:1) VRRP master number: 1

  VRID: 1 verion: 2

    vrip: 192.168.33.1, priority: 200 (200,3), state: MASTER

    adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3

    master_adv_interval: 100, accept: 1

    vrmac: 00:00:5e:00:01:01

    vrdst: 8.8.8.8

    vrgrp: 0

 

Functioning Debug when the router is the VRRP Master.

 

diagnose debug reset

diagnose debug disable

diagnose debug application vrrpd  -1

diagnose debug enable

Debug messages will be on for 30 minutes.

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

di[vrrpd_loop:2288]: ret 0

 

To stop the debug:

 

diagnose debug disable

diagnose debug reset

 

Sniffer showing that the device is sending out the VRRP packet on port3.

 

diagnose sniffer packet any "host 224.0.0.18" 4 3

Using Original Sniffing Mode

interfaces=[any]

filters=[host 224.0.0.18]

1.754734 port3 out 192.168.33.111 -> 224.0.0.18:  ip-proto-112 20

2.756188 port3 out 192.168.33.111 -> 224.0.0.18:  ip-proto-112 20

3.757798 port3 out 192.168.33.111 -> 224.0.0.18:  ip-proto-112 20

 

A command showing the Status of the VRRP configured interface.

 

diagnose hardware  deviceinfo  nic  port3 | grep State -A 1

State:           up

Link:            up

 

get router  info routing-table  details  8.8.8.8

Routing table for VRF=0

Routing entry for 0.0.0.0/0

  Known via "bgp", distance 200, metric 0, best

  Last update 00:03:05 ago

  * 192.168.44.1, via port4 distance 0

 

When the link state fails.

 

Debug flow when the interface is brought down.

 

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->11143)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_adv_timer_func:1613]: port3, vrid 1, vrip 192.168.33.1, (11143->1102)

[vrrp_vif_promisc_set:1277]: ret 0, 98

[vrrp_vrt_leave_master:1516]: port3, vrid 1, vrip 192.168.33.1, (200 1 1 100)

[vrrp_vrt_goto_backup:1595]: port3, vrid 1, vrip 192.168.33.1, (200 1 1 100)

[vrrpd_loop:2288]: ret 0

[vrrp_vrt_down_timer_func:1558]: port3, vrid 1, vrip 192.168.33.1, (1102->1102)

[vrrpd_loop:2288]: ret 0

 

diagnose sys link-monitor  status

Link Monitor: 1, Status: die, Server num(1), Flags=0x9 init, Create time: Fri Jul 15 21:00:42 2022

Source interface: port4 (6)

Gateway: 192.168.44.1

Interval: 500 ms

  Peer: 8.8.8.8(8.8.8.8)

        Source IP(192.168.44.111)

        Route: 192.168.44.111->8.8.8.8/32, gwy(192.168.44.1)

        protocol: ping, state: die

                Packet lost: 100.000%

                Number of out-of-sequence packets: 0

                Recovery times(0/5) Fail Times(4/5)

                Packet sent: 1654, received: 654, Sequence(sent/rcvd/exp): 1655/755/756

                                                          

diagnose sys link-monitor status | grep state

       protocol: ping, state: die

              

diagnose hardware deviceinfo nic port3 | grep State -A 1

State:           down

Link:            down

 

get router info vrrp

Interface: port3, primary IP address: 192.168.33.111

  UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0

  HA mode: primary (0:0:1) VRRP master number: 0

  VRID: 1 verion: 2

    vrip: 192.168.33.1, priority: 200 (200,3), state: BACKUP

    adv_interval: 1, preempt: 1, ignore_dft: 0 start_time: 3

    master_adv_interval: 100, accept: 1

    vrmac: 00:00:5e:00:01:01

    vrdst: 8.8.8.8

    vrgrp: 0

 

get router  info vrrp  | grep state

    vrip: 192.168.33.1, priority: 200 (200,3), state: BACKUP

 

Note:

The VRRP checks the route to vrdst. As long as there is a route going to the Vrdst. The VRRP will not fail. The VRRP will failover only when the route going to vrdst disappears.
Labels:
4774
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.