FortiGate ethernet broken with HA

JesperAP · ‎03-19-2024

Hello all,

We recently got 2 FortiGates 100F for in our newly bought rack in a datacenter. With these 2 fortigates we also have 2 Dell EMC S4128F-ON switches.

When setting up the primary fortigate, everythings works fine, internet connection is working and stable, but as soon as I setup HA, the internet starts doing weird. Sometimes pinging works, sometimes it doesn't. sometimes only IPv4 addresses are pingable and sometimes only domainnames are pingable.

I've added a network diagram of the setup. If you need more information please let me know.

Toshi_Esumi · ‎03-19-2024

On the ISP router side, only one of WAN port 1 and WAN port 2 is active at a time, and provide the same IP/GW address regardless which side is active over VRRP?
Not sure how the VRRP is accomplished without going through a switch.

Toshi

JesperAP · ‎03-20-2024

Hello Toshi,

I am not sure what you mean.

As fas as I know both ports are active all the time.

AEK · ‎03-19-2024

Hi Jesper

Do you have another FGT cluster in the same network?

AEK

JesperAP · ‎03-20-2024

No this is the only cluster in the network

AEK · ‎03-20-2024

Hi Jesper

Can you elaborate the VRRP part of the diagram?
Why each FGT is not connected to both ISPs? Or you mean there is a L2 switch between FGTs and ISPs? Same between FGTs and Dell servers?

AEK

JesperAP · ‎03-20-2024

Hello AEK,

This is the ISP part, it is the same ISP. Maybe I had to draw 1 cloud with 2 lines going to both FG. Sorry

https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm

Toshi_Esumi · ‎03-20-2024

So, the "Customer L2 Switch(es)" in this diagram is what you are missing. Those two Equinix routers talk each other to form VRRP through the L2 connection communicating each others with .y and .z IPs. That Broadcast Domain can't be formed if you connect each to a separate FGT. And, in a-p HA, the secondary FGT would not pass/process packets although L1 on the port is up. So it would breake the VRRP and both routers think the other side is down.

Bottom half would be just one of many ways to implement redundancy on the Equinix's customer side utilizing their redanduncy set up.

With FGT's a-p HA, those two FGTs act as one router. So you need to have the same (L2 wise) connection from the "Customer L2 Switches" into the same WAN port on both FGTs.

Toshi

JesperAP · ‎03-21-2024

So I would be better of choosing BGP according to the docs below?

https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm

or can I also place 2 dumb switches above the fortigates?

Toshi_Esumi · ‎03-21-2024

It's up to you. If you have your public subnets that need to be advertised to those multiple ISPs behind Equinix, you have to advertised them via BGP. You must have gotten that instruction when you get the Internet service from them. It's a question to them.

Toshi