|
When users have a vcluster set up and the firmware is upgraded to FortiOS 7.2.9, 7.4.5 or 7.6.0, Firewalls with the vcluster may not be able to assign IP addresses to DHCP clients. The following scenario explains this in detail.
A High Availability FGCP (HA) cluster was formed between two firewalls that have two VDOMs: vdom1 and vdom2. The HA Virtual Cluster is enabled and the secondary firewall is the primary for vdom2. The DHCP client is behind the internal1 interface. The firewall configuration is below:
config vdom
edit root
next
edit vdom1
next
edit vdom2
next
end
config system interface
edit "internal1"
set vdom "vdom2"
set ip 10.20.20.1 255.255.255.0
set allowaccess ping https http
set type physical
set snmp-index 4
next
config system dhcp server
edit 1
set dns-service default
set default-gateway 10.20.20.1
set netmask 255.255.255.0
set interface "internal1"
config ip-range
edit 1
set start-ip 10.20.20.1
set end-ip 10.20.20.254
next
end
next
end
|
Primary Firewall
|
Secondary Firewall
|
|
config system ha
set group-name "test"
set mode a-p
set hbdev "internal3" 0
set vcluster-status enable
config vcluster
edit 1
set override enable
set priority 130
set vdom "root" "vdom1"
next
edit 2
set override enable
set priority 129
set vdom "vdom2"
next
end
end
|
config system ha
set group-name "test"
set mode a-p
set hbdev "internal3" 0
set vcluster-status enable
config vcluster
edit 1
set override enable
set priority 129
set vdom "root" "vdom1"
next
edit 2
set override enable
set priority 130
set vdom "vdom2"
next
end
end
|
After firmware upgrade to 7.2.9, 7.4.5 or 7.6.0, the DHCP client behind internal1 will not get any DHCP IP address from the FortiGate firewall. In troubleshooting, DHCP packets are received but dropped by the firewall.
Once vdom2 is moved to the primary firewall by changing the priority of vcluster, this issue is not observed, which can be used as workaround. This issue has been resolved in firmware 7.2.11, 7.4.8 & 7.6.1.
|
