• VRRP fails to establish between two FortiSwitch units when a VRF is configured on the VRRP-enabled SVI.
• If the VRF is removed from the SVI configuration, VRRP establishes successfully.

Example Configuration:

1. VRF Configuration: VRF  created.

config router vrf
    edit "test"
        set vrfid 1
    next
end

2. An interface named 'test' with VRRP (FortiSwitch OS administration guide) enabled, mapped with a 'test' VRF.

config system interface
    edit "test"
        set ip 10.201.0.200 255.255.255.0
        set allowaccess ping ssh https
        set vrrp-virtual-mac enable
            config vrrp
                edit 1
                    set priority 1
                    set vrdst 0.0.0.0 0.0.0.0
                    set vrgrp 1
                    set vrip 10.201.0.254
                next
            end
        set vrf "test"
        set vlanid 10
        set interface "internal"
    next
end

3. Apply a similar configuration on the second FortiSwitch.

Observed behavior:

-> Both FortiSwitch units display MASTER status:

Run the following command to verify:

get router info vrrp

vrrp_ctx_dump_status: icl_tr: icl_trid:-1
Interface: test, primary IP address: 10.201.0.200
UseVMAC: 1
VRID: 1 version: 2
vrip: 10.201.0.254, priority: 1, state: MASTER    <-----
adv_interval: 1, preempt: 1, start_time: 3
master_adv_interval: 100, accept: 1
vrmac: 00:00:5e:00:01:01
vrdst: 0.0.0.0 0.0.0.0
vrgrp: 1

Root Cause:

The issue occurs because the VRF name and the system interface name are the same ('test'). This name conflict prevents proper VRRP peering.

Resolution:

• Configure the VRF and system interface with distinct names.
• In upcoming FortiSwitch releases 7.4.8 and 7.6.3, this conflict will be prevented by design. If an attempt is made to use the same name for both, an error message will be displayed, and the configuration will be blocked.