FortiGate ethernet broken with HA

JesperAP · ‎03-19-2024

Hello all,

We recently got 2 FortiGates 100F for in our newly bought rack in a datacenter. With these 2 fortigates we also have 2 Dell EMC S4128F-ON switches.

When setting up the primary fortigate, everythings works fine, internet connection is working and stable, but as soon as I setup HA, the internet starts doing weird. Sometimes pinging works, sometimes it doesn't. sometimes only IPv4 addresses are pingable and sometimes only domainnames are pingable.

I've added a network diagram of the setup. If you need more information please let me know.

JesperAP · ‎03-22-2024

Thanks for the help so far Toshi.

We don't have our own IPv4 ranges, we use their IPv4 addresses. I don't want another 2 pieces of hardware that can fail. Would it be better to choose Dual port BGP - Provider assigned IP then to keep Dual port VRRP static - Provider assigned IP?

Toshi_Esumi · ‎03-22-2024

You can ask them about this but I think have to provide L2 connectivity between their two routers to make VRRP work.

It doesn't have to be two switches as in their sample diagram but can be one of the switches you already have for LAN, then set up a separate vlan for totally 4 ports to connect to their two router ports and two FGT's wan ports.

As I said before, two a-p HAed FGTs wouldn't provide any L2 connectivity through it for their routers.

If all public IPs you have are from Equinix, then, only thing you need to have routing-wise is the default route to the VRIP. Why do you need BGP? The redundancy on their router side is accomplished by the VRRP, while the redundaycy on your FGT side is accomplished by the HA. Unless you have to peer with the network providers through Equinix, BGP with the VRIP of their routers wouldn't add any more redundaycy other than more thing to worry about and sometimes fail.

To me, simpler is better.

But, if they have an option to provide two BGP peers on each router and no VRRP, you can set up two BGP sessions but one instance on the FGT side if a-p HA. Then phisical connections should be the same with VRRP. Those 4 interfaces (router's and FGT's) would be on one broadcast domain.

Toshi

JesperAP · ‎03-22-2024

To me, adding special VLAN's and adding the uplinks to one of the switches adds complexity and breaks the HA of the system because if the switch goes down the uplink disappears.

As far as I can see and understand in their diagram, switching from VRRP static to BGP removes the need for a L2 switch see picture below.

We just want a simple internet connection, with two uplinks for both FGT's and have a /29 subnet which we bought extra from Equinix. Is BGP good enough for us?

Next monday I have scheduled a meeting with Equinix to discuss this.

Toshi_Esumi · ‎03-22-2024

If you want to make those two FGTs separated as in their diatram, each acts as independent router and set up BGP to them. You just can't use FGT's HA.

Toshi

JesperAP · ‎03-24-2024

If A-P doesn't work without L2 switches, Should A-A work?

Toshi_Esumi · ‎03-24-2024

If you're talking about the VRRP set up, no. Because it won't change the fact you don't provide the L2 connectivity to those Equinix routers. If you want to have BGP separately with Equinix, no use of FGT HA anyway. Just make them separate routers.

Toshi

JesperAP · ‎03-25-2024

So if I understand correctly, going back to VRRP via L2 switches.

If I use the diagram below, it should work? With giving them a VLAN on the switch as well.

Toshi_Esumi · ‎03-25-2024

I believe so if you put those all ports in the same broadcast domain.

Toshi