Hello all,
We recently got 2 FortiGates 100F for in our newly bought rack in a datacenter. With these 2 fortigates we also have 2 Dell EMC S4128F-ON switches.
When setting up the primary fortigate, everythings works fine, internet connection is working and stable, but as soon as I setup HA, the internet starts doing weird. Sometimes pinging works, sometimes it doesn't. sometimes only IPv4 addresses are pingable and sometimes only domainnames are pingable.
I've added a network diagram of the setup. If you need more information please let me know.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
On the ISP router side, only one of WAN port 1 and WAN port 2 is active at a time, and provide the same IP/GW address regardless which side is active over VRRP?
Not sure how the VRRP is accomplished without going through a switch.
Toshi
Hello Toshi,
I am not sure what you mean.
As fas as I know both ports are active all the time.
Hi Jesper
Do you have another FGT cluster in the same network?
Created on 03-20-2024 12:55 AM Edited on 03-20-2024 12:58 AM
No this is the only cluster in the network
Hi Jesper
Hello AEK,
This is the ISP part, it is the same ISP. Maybe I had to draw 1 cloud with 2 lines going to both FG. Sorry
https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm
Created on 03-20-2024 08:54 AM Edited on 03-20-2024 05:11 PM
So, the "Customer L2 Switch(es)" in this diagram is what you are missing. Those two Equinix routers talk each other to form VRRP through the L2 connection communicating each others with .y and .z IPs. That Broadcast Domain can't be formed if you connect each to a separate FGT. And, in a-p HA, the secondary FGT would not pass/process packets although L1 on the port is up. So it would breake the VRRP and both routers think the other side is down.
Bottom half would be just one of many ways to implement redundancy on the Equinix's customer side utilizing their redanduncy set up.
With FGT's a-p HA, those two FGTs act as one router. So you need to have the same (L2 wise) connection from the "Customer L2 Switches" into the same WAN port on both FGTs.
Toshi
Created on 03-21-2024 08:29 AM Edited on 03-21-2024 08:35 AM
So I would be better of choosing BGP according to the docs below?
https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm
or can I also place 2 dumb switches above the fortigates?
It's up to you. If you have your public subnets that need to be advertised to those multiple ISPs behind Equinix, you have to advertised them via BGP. You must have gotten that instruction when you get the Internet service from them. It's a question to them.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.