Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KPS
New Contributor III

Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports

Hi!

 

I just updated my 200E-Cluster from 5.6.6 to 5.6.9. Now, I have a very strange issue:

 

The unicast-traffic that passes the fortigate is "acting" like broadcast-traffic.

--> The traffic is sent to every switchport

 

If I monitor the traffic on ANY switchport, I see all the unicast-packets, that where routed by the fortigate.

 

If I ping the fortigate from the destination IP, the problem stops instantly.

 

Do you have any idea, what happens there?

For me, the Fortigate seems to "forget" to use the ARP-table for those packets. If I have "incoming" traffic (destination=fortigate), that ARP seems to work fine.

 

The ARP for one test-server:

 

#diagnose ip arp list | grep 10.49.0.48 index=34 ifname=DMZ-HO-Bond 10.49.0.48 00:50:56:89:xx:xx state=00000004 use=369512 confirm=372713 update=368876 ref=4

 

Thank you for your help!

 

KPS

20 REPLIES 20
kubimike
New Contributor III

since you have a cluster are you doing home-runs with wiring ?

KPS
New Contributor III

kubimike wrote:

since you have a cluster are you doing home-runs with wiring ?

I do not really understand. The cluster is active-passive. Both nodes have one leg in every network.

kubimike
New Contributor III

How many switches do you have connected to the fortigate ?

KPS
New Contributor III

kubimike wrote:

How many switches do you have connected to the fortigate ?

Hi!

Each Fortigate is connected to two switches as active-passive-bond.

kubimike
New Contributor III

Ah thats what I thought. See if this cures your problem report back :)

 

config system stp
set switch-priority 0
end

KPS
New Contributor III

Hi!

 

But why does this matter? The A/P-bond should not interact with STP - right?

I am running that unchanged for a year. The only change was the upgrade of FortiOS.

kubimike
New Contributor III

The switch is still active with packets getting copied to it. It mattered for me and solved my problem back in the day. If it doesn't solve it just remove it. Worth a try !

 

Dont forget to report back ! Im curious too . 

KPS
New Contributor III

Hi!

 

Thank you for your help. I will give it a try, tomorrow and report back :)

 

 

KPS
New Contributor III

Hi!

 

"config system stp" is not available on my 200E with 5.6.9

Isn't this only available, if bridges are used?

 

...and one more question: Wouldn't this lead to the problem, that the fortigate would take over the role as root-bridge?

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors