Hi!
I just updated my 200E-Cluster from 5.6.6 to 5.6.9. Now, I have a very strange issue:
The unicast-traffic that passes the fortigate is "acting" like broadcast-traffic.
--> The traffic is sent to every switchport
If I monitor the traffic on ANY switchport, I see all the unicast-packets, that where routed by the fortigate.
If I ping the fortigate from the destination IP, the problem stops instantly.
Do you have any idea, what happens there?
For me, the Fortigate seems to "forget" to use the ARP-table for those packets. If I have "incoming" traffic (destination=fortigate), that ARP seems to work fine.
The ARP for one test-server:
#diagnose ip arp list | grep 10.49.0.48 index=34 ifname=DMZ-HO-Bond 10.49.0.48 00:50:56:89:xx:xx state=00000004 use=369512 confirm=372713 update=368876 ref=4
Thank you for your help!
KPS
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
since you have a cluster are you doing home-runs with wiring ?
kubimike wrote:since you have a cluster are you doing home-runs with wiring ?
I do not really understand. The cluster is active-passive. Both nodes have one leg in every network.
How many switches do you have connected to the fortigate ?
kubimike wrote:How many switches do you have connected to the fortigate ?
Hi!
Each Fortigate is connected to two switches as active-passive-bond.
Ah thats what I thought. See if this cures your problem report back :)
config system stp
set switch-priority 0
end
Hi!
But why does this matter? The A/P-bond should not interact with STP - right?
I am running that unchanged for a year. The only change was the upgrade of FortiOS.
The switch is still active with packets getting copied to it. It mattered for me and solved my problem back in the day. If it doesn't solve it just remove it. Worth a try !
Dont forget to report back ! Im curious too .
Hi!
Thank you for your help. I will give it a try, tomorrow and report back :)
Hi!
"config system stp" is not available on my 200E with 5.6.9
Isn't this only available, if bridges are used?
...and one more question: Wouldn't this lead to the problem, that the fortigate would take over the role as root-bridge?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.