Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JesperAP
New Contributor

Created on ‎03-19-2024 01:52 PM

FortiGate ethernet broken with HA

Hello all,

 

We recently got 2 FortiGates 100F for in our newly bought rack in a datacenter. With these 2 fortigates we also have 2 Dell EMC S4128F-ON switches.

 

When setting up the primary fortigate, everythings works fine, internet connection is working and stable, but as soon as I setup HA, the internet starts doing weird. Sometimes pinging works, sometimes it doesn't. sometimes only IPv4 addresses are pingable and sometimes only domainnames are pingable.

 

I've added a network diagram of the setup. If you need more information please let me know.



Explanation_FG_bug.png

Labels:
2680
0 Kudos
17 REPLIES 17
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-19-2024 03:05 PM

On the ISP router side, only one of WAN port 1 and WAN port 2 is active at a time, and provide the same IP/GW address regardless which side is active over VRRP?
Not sure how the VRRP is accomplished without going through a switch.

Toshi

1591
JesperAP
New Contributor
In response to Toshi_Esumi

Created on ‎03-20-2024 12:55 AM

Hello Toshi,

 

I am not sure what you mean.

As fas as I know both ports are active all the time.

1547
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-19-2024 03:19 PM

Hi Jesper

Do you have another FGT cluster in the same network?

AEK
AEK
1589
JesperAP
New Contributor
In response to AEK

Created on ‎03-20-2024 12:55 AM Edited on ‎03-20-2024 12:58 AM

No this is the only cluster in the network

1546
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-20-2024 01:11 AM

Hi Jesper

  • Can you elaborate the VRRP part of the diagram?
  • Why each FGT is not connected to both ISPs? Or you mean there is a L2 switch between FGTs and ISPs? Same between FGTs and Dell servers?
AEK
AEK
1536
JesperAP
New Contributor
In response to AEK

Created on ‎03-20-2024 01:16 AM

Hello AEK,

 

This is the ISP part, it is the same ISP. Maybe I had to draw 1 cloud with 2 lines going to both FG. Sorry

 

eq-conf.png

 

https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm 

1532
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to JesperAP

Created on ‎03-20-2024 08:54 AM Edited on ‎03-20-2024 05:11 PM

So, the "Customer L2 Switch(es)" in this diagram is what you are missing. Those two Equinix routers talk each other to form VRRP through the L2 connection communicating each others with .y and .z IPs. That Broadcast Domain can't be formed if you connect each to a separate FGT. And, in a-p HA, the secondary FGT would not pass/process packets although L1 on the port is up. So it would breake the VRRP and both routers think the other side is down.

 

Bottom half would be just one of many ways to implement redundancy on the Equinix's customer side utilizing their redanduncy set up. 

With FGT's a-p HA, those two FGTs act as one router. So you need to have the same (L2 wise) connection from the "Customer L2 Switches" into the same WAN port on both FGTs.

Toshi

1503
JesperAP
New Contributor
In response to Toshi_Esumi

Created on ‎03-21-2024 08:29 AM Edited on ‎03-21-2024 08:35 AM

So I would be better of choosing BGP according to the docs below?

 

https://docs.equinix.com/en-us/Content/Interconnection/EIA/EIA-config-options.htm

 

or can I also place 2 dumb switches above the fortigates?

1480
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to JesperAP

Created on ‎03-21-2024 08:36 AM

It's up to you. If you have your public subnets that need to be advertised to those multiple ISPs behind Equinix, you have to advertised them via BGP. You must have gotten that instruction when you get the Internet service from them. It's a question to them.

Toshi

1477
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.