Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ede_pfau
Esteemed Contributor III

Synchronizing FGT HA with Cisco VRRP

hello all,

 

I've got a pair of FG-200B running v4.3.18 in A-P HA mode. Each cluster member is at a different location, HA links are across a dedicated line. On each site, there is one Cisco access router (19xx) in front of the FGT providing WAN access. These routers form a VRRP pair. (No VRRP for the FGTs as config sync is requested.)

 

Now, when the WAN line on one site closes down the routers fail over in about 15 s. But, as the link status of the FGT WAN port does not change, the FGTs do not fail over. So I configured a pingserver (gwdetect) on the FGT which is the next hop router.

 

That doesn't work as expected though. When one WAN line is down, the FGT still can reach the next hop router because the Ciscos have failed over, providing internet access across the HA link line. That's a catch22 I guess.

 

One solution would be that the router, when detecting it has to fail over, pulls it's port to the FGT down. FGT would sense a link failure and fail over as well.

 

Question now is: how is that configured on a Cisco router? Is it common, or arcane? Or do you have other suggestions how to synchronize the VRRP failover with a HA failover?

 

Any input dearly appreciated.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
1 Solution
MrSinners

I already had a feeling that was the main reason for VRRP, the WAN side of the routers.. Maybe you can have a look at: https://supportforums.cisco.com/discussion/10794236/shut-interface-if-no-ping-response-using-ip-sla-...

They combine IP SLA tracking with an EEM script to bring an interface down. Pay extra attention to posts 2 and 3, if you want to use this it requires some editing for your environment.

View solution in original post

14 REPLIES 14
MrSinners

Did you have any luck so far with this issue?

ede_pfau
Esteemed Contributor III

Not really, it still lingers for a solution.

On the Cisco side, EEM would be the means, event driven scripting. But, as the Cisco is managed by a big, world-wide ISP, they will probably reject the idea that they should implement this - "non-standard process". Unless my customer pays a lot of $$$. Technically, it looks like it's nothing overly complicated.

 

This leaves me with the scenario that I block anything but the HA and VRRP hello traffic across the dedicated line between the DCs. Either with a hardware FGT in Transparent mode, or a VDOM on one of the FGTs. Or I will have to think about a symmetrical solution with 2 VDOMs, one on each FGT.

Haven't made up my mind yet, but I will keep you posted.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
hervaltelecom
New Contributor III

Have you had any help in CISCO forums?

emnoc
Esteemed Contributor III

You do know this was posted over  2 years ago ;)

 

PCNSE 

NSE 

StrongSwan  

ede_pfau
Esteemed Contributor III

Yet...still unsolved!

 

It's a shame, and unnecessary as well. Pulling the internal link down in the event of failover would be easy and reasonable. The ISP just doesn't move a finger to solve this.

After such a long time, my customer is planning to reunite the cluster units in one place, that is, change a whole bit. I still feel the scenario (HA cluster with external VRRP routers in front) is not that extraordinary. I would like to solve this but any solutioin has to be on the FGT side only.

 

Thanks for keeping an eye on this, anyway. Anybody else running this setup?


Ede

"Kernel panic: Aiee, killing interrupt handler!"