Issue: 

• After the upgrade, an issue has been observed with Layer 3 routing over VRRP. For example, client traffic forwarded through the VRRP router is intermittently dropped.
• Another issue is discussed in Troubleshooting Tip: Challenges with Setting vrip (VRRP) in the Same Subnet as Secondary IP.

Resolution:

Under Engineering Case ID 1085819, an enhancement was implemented to address the VRRP issue observed after a FortiSwitch upgrade.

This enhancement is available in the following FortiSwitch OS versions: FortiSwitch 7.6.2, FortiSwitch 7.4.6, FortiSwitch 7.2.10.

Enhancement details:

An optional standalone netmask configuration option has been introduced under config vrrp with vrip:

set netmask <netmask>

Condition 1: If netmask is not specified, vrip uses the primary IP netmask of the interface. If vrip and the primary subnet do not match, the configuration is rejected.

Condition 2: If netmask is specified, it must match either the primary IP’s netmask or one of the secondary IPs on the interface. If there is no match, the configuration is rejected.

Condition 3: During an upgrade, validation is skipped, allowing legacy 'illegal' VRRP configurations to persist. However, such configurations may not function correctly. It is recommended to update the netmask to a valid value.

Config example:

config system interface
    edit 1
        set ip 192.168.15.1 255.255.255.0
        set allowaccess ping https http ssh telnet
        set secondary-IP enable
            config vrrp
                edit 1
                    set vrip 192.168.15.10
                next
                edit 20
                    set netmask 255.255.255.128 
                    set vrip 192.168.16.10
                next

                edit 30
                    set netmask 255.255.255.192
                    set vrip 10.100.92.62

                next
            end
            set vlanid 15
            config secondaryip
                edit 20
                    set ip 192.168.16.1 255.255.255.128
                    set allowaccess ping https http ssh telnet
                next

                edit 30
                    set ip 10.100.92.61 255.255.255.192

                    set allowaccess ping https http ssh telnet
             end
        next
    end

Explanation: 

In the configuration above:

• Condition 1 - vrrp1: vrip 192.168.15.10 matches the primary interface 192.168.15.1/24.
• Condition 2 - vrrp20: vrip 192.168.16.10 with netmask 255.255.255.128 matches the secondary interface 192.168.16.1/25.
• Condition 3 - vrrp30: vrip 10.100.92.62 with netmask 255.255.255.192 matches the secondary interface 10.100.92.61/26.

Related documentation:

VRRP documentation - FortiSwitch administration guide 

Troubleshooting Tip: Avoiding IP Conflicts Between VRRP Virtual IP and VLAN Interface IP