Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
StephenL
New Contributor

Default Gateway for vxlan over ipsec

I have setup two sites with a Fortgate 100F device (7.0.5) at each site.

 

I have set-up and have operational a vxlan connection between the two sites over an IPSEC tunnel.

 

At site A there is a monitoring VM with a fixed IP address (192.168.200.2/24 GW 192.168.200.1) and at site B a test VM with a fixed IP address 192.168.200.3/24 GW 192.168.200.1)

 

The issue I have is the test VM is unable to ping the GW IP address 192.168.200.1 or anything beyond the GW)

 

The testing at the moment is:

 

The Monitoring VM (192.168.200.2) is able to ping the test VM (192.168.200.3)

The Monitoring VM (192.168.200.2) is able to ping the GW (192.168.200.1)

The Monitoring VM (192.168.200.2) is able to ping 8.8.8.8

Can RDP from Monitoring VM (192.168.200.2) to Test VM (192.168.200.3)

The Test VM (192.168.200.3) is able to ping the Monitoring VM (192.168.200.2)

The Test VM (192.168.200.3) is able to ping other devices at Site A in the 192.168.200.x/24 range

The Test VM (192.168.200.3) is unable to ping the GW (192.168.200.1) - Request time-out

 

The diagram below outlines the configuration

VXLAN.jpg

 

It would seem the VXLAN is operational as traffic follows in both directions

External access at Site A via the Software Switch with an IP address of 192.168.200.1 is operational

Ping is allowed for the Software Switch IP 192.168.200.1

Firewall Rules for Zone_200 allow all 192.168.200.0/24 traffic out for ping

VLANing is working via the Fortigate Redundant switch / VLAN switch)

 

Am I missing something about the configuration of VXLAN gateway addresses.

 

I have used the technical guide  https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-... as the basis for the VXLAN.  Aside from the IP addresses where the document refers to Internal1 I am using a VLAN Switch (I need high availability using independent switches).

 

And technical guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-VXlan-to-other-v... for the routing

 

StephenL_0-1661059486386.png

 

Am I missing something about VXLANs and default gate

1 Solution
akristof

Hey, I have an idea. Can you run this commands on FortiGate at SiteB:

diag sys vxlan fdb list <NameOfVxlanVtep>
fnsysctl ifconfig <SoftwareSwitchName> --- This please take from both devices

I am suspecting that it related to that virtual MAC address. If you have 100F on both sites and both sites are running HA cluster and group-id is 0, then there is possibility that mac address generated for software switch on each device is the same. If you would see that both software switches have the same mac address, then you will need to change group-id under one cluster to other value. But for that, I recommend to have direct access (console or OOB management) and do it outside of business hours as you would play with HA. 

Adrian

View solution in original post

10 REPLIES 10
akristof

Great. Thanks for info. I am glad that we were able to find the problem :)

Adrian
Labels
Top Kudoed Authors