Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Zato02
New Contributor II

Created on ‎09-01-2025 08:20 AM

A VRRP device fails to link up with the secondary unit of an HA FortiGate 200F (7.0.5).

Regarding the VRRP-redundant network device (FortiGate 60F) connected to the HA-configured FortiGate 200F (7.0.5), the setup involves the primary 200F connected to the master 60F, and the secondary 200F connected to the backup 60F. Ideally, when the master 60F experiences a failure, communication should occur between the secondary 200F and the backup 60F. However, according to the 200F management interface, the relevant interface appears to be down.

Attempts to enable/disable the interface and static routes have not resolved the issue. Could you please advise on possible solutions?

Labels:
181
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎09-01-2025 01:56 PM

Not so clear how they are connected. Can you share a diagram?

AEK
AEK
161
Zato02
New Contributor II
In response to AEK

Created on ‎09-05-2025 03:39 AM

Please forgive the rough diagram, but I would appreciate your confirmation.
I would like to make changes to the 200F side.vrrp.png

130
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎09-06-2025 03:23 AM

As long as the secondary 200F is standby it can't communicate with the backup 60F.

You can fix it either by configuring port1 as monitor interface in 200F HA config, or by changing your design to use intermediate L2 switch between 60F and 200F, or using full mesh via SW/HW switches between 60F and 200F.

AEK
AEK
99
Zato02
New Contributor II
In response to AEK

Created on ‎09-06-2025 04:02 AM Edited on ‎09-06-2025 04:04 AM

Thank you for your response. I had mistakenly assumed that communication would continue seamlessly as long as the secondary unit was active.

Since adding more devices is not feasible, I believe using a monitor interface would be the most desirable solution.

On another note, I omitted some parts of the diagram to avoid making it overly complex. Both the 60F and 200F are also connected to a stacked L3 switch. In this setup, if we use a monitor interface, does that mean communication will switch to the secondary 200F when the primary port1 goes down? Also, if the primary port1 is down and the secondary port3 is also down, does that mean the failover won't work properly and communication will be interrupted?vrrp2.png

91
0 Kudos
AEK
SuperUser
SuperUser
In response to Zato02

Created on ‎09-06-2025 11:00 AM

If you need only port1 to be monitored then set only port1 as monitored interface.

If you need also port3 to be monitored then set it as well.

 

Also, if the primary port1 is down and the secondary port3 is also down, does that mean the failover won't work properly and communication will be interrupted?

-> I didn't try this case but I guess there would be a primary election so that one FGT handles the remaining traffic. I need to try it in my lab to make sure about the behavior.

 

Also keep in mind that the "monitored interface" is based on link status up or down. In your case with VRRP I think it is better to combine with link monitor to check IP reachability instead of link up/down status.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Combining-remote-link-monitoring-with-a-hi...

AEK
AEK
64
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.