Dear all,

I would build internet firewall. I have 2 fortigate 3700D with HA (Active - Active).

My fortigate has directly connected to Nexus of Cisco, like this :

FortiGate A (interface 01) to Nexus A (interface 01)

FortiGate A (interface 02) to Nexus B (interface 01)

FortiGate B (interface 01) to Nexus A (interface 02)

FortiGate B (interface 02) to Nexus B (interface 02)

On fortigate, I already configure :

set vdom "root"         set ip 192.168.10.2 255.255.255.248         set allowaccess ping https ssh         set type aggregate         set member "port1" "port2"         set description "forti to inside"         set device-identification enable         set device-identification-active-scan enable         set role lan         set snmp-index 38         set lacp-ha-slave disable

On cisco, my customer has configure :

IP Address 192.168.10.1 255.255.255.248

Interface has VPC PortChannel with different domain

Port 1 = domain A

Port 2 = domain B

Cisco has two VDC :

VDC core (connectivity cisco to fortigate on VDC Core)

VDC global (connectivity user to cisco on VDC global)

Already config routing between VDC core to VDC global

The result is interface can established. FortiGate can ping point to point with Cisco.

But when user access IP management FortiGate is failed (RTO).

FortiGate already has static route to inside segmen.

Anyone has solution or can share experience like this?

thanks