I have setup two sites with a Fortgate 100F device (7.0.5) at each site.
I have set-up and have operational a vxlan connection between the two sites over an IPSEC tunnel.
At site A there is a monitoring VM with a fixed IP address (192.168.200.2/24 GW 192.168.200.1) and at site B a test VM with a fixed IP address 192.168.200.3/24 GW 192.168.200.1)
The issue I have is the test VM is unable to ping the GW IP address 192.168.200.1 or anything beyond the GW)
The testing at the moment is:
The Monitoring VM (192.168.200.2) is able to ping the test VM (192.168.200.3)
The Monitoring VM (192.168.200.2) is able to ping the GW (192.168.200.1)
The Monitoring VM (192.168.200.2) is able to ping 8.8.8.8
Can RDP from Monitoring VM (192.168.200.2) to Test VM (192.168.200.3)
The Test VM (192.168.200.3) is able to ping the Monitoring VM (192.168.200.2)
The Test VM (192.168.200.3) is able to ping other devices at Site A in the 192.168.200.x/24 range
The Test VM (192.168.200.3) is unable to ping the GW (192.168.200.1) - Request time-out
The diagram below outlines the configuration
It would seem the VXLAN is operational as traffic follows in both directions
External access at Site A via the Software Switch with an IP address of 192.168.200.1 is operational
Ping is allowed for the Software Switch IP 192.168.200.1
Firewall Rules for Zone_200 allow all 192.168.200.0/24 traffic out for ping
VLANing is working via the Fortigate Redundant switch / VLAN switch)
Am I missing something about the configuration of VXLAN gateway addresses.
I have used the technical guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-VXLAN-over-IPsec-for-multiple-VLANs-using-... as the basis for the VXLAN. Aside from the IP addresses where the document refers to Internal1 I am using a VLAN Switch (I need high availability using independent switches).
And technical guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-VXlan-to-other-v... for the routing
Am I missing something about VXLANs and default gate
Solved! Go to Solution.
Hey, I have an idea. Can you run this commands on FortiGate at SiteB:
diag sys vxlan fdb list <NameOfVxlanVtep>
fnsysctl ifconfig <SoftwareSwitchName> --- This please take from both devices
I am suspecting that it related to that virtual MAC address. If you have 100F on both sites and both sites are running HA cluster and group-id is 0, then there is possibility that mac address generated for software switch on each device is the same. If you would see that both software switches have the same mac address, then you will need to change group-id under one cluster to other value. But for that, I recommend to have direct access (console or OOB management) and do it outside of business hours as you would play with HA.
Great. Thanks for info. I am glad that we were able to find the problem :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.