FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes an issue where members of a Virtual Wire Pair (VWP) are removed from the configuration after a system reboot.
Scope
FortiGate, VWP, VXLAN.
Solution
This specific behavior occurs when the VWP members involve complex nested virtual interfaces, specifically a VLAN interface created on top of a VXLAN interface.
Symptoms:
After a reboot, the config system virtual-wire-pair section exists but is empty (no members defined).
Traffic flow through the wire pair stops.
In an HA cluster:
Rebooting the Secondary device results in a loss of the VWP configuration on that specific unit.
However, if the Secondary is rebooted again (while the Primary is active), the configuration is successfully synced and restored via HA.
A subsequent simultaneous reboot of the cluster causes the issue to return.
Diagnosis:
This issue is caused by a race condition during the system boot process.
When the FortiGate loads its configuration, it attempts to apply the virtual-wire-pair settings. However, due to the complexity of the nested interfaces, the underlying VLAN/VXLAN stack may not yet be fully initialized in the kernel by the time the VWP configuration is read. Consequently, the FortiOS CLI parser discards the invalid interface reference to prevent configuration errors.
This issue ID #1223933 is currently under investigation by the development team.
