- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6....
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports
Hi!
I just updated my 200E-Cluster from 5.6.6 to 5.6.9. Now, I have a very strange issue:
The unicast-traffic that passes the fortigate is "acting" like broadcast-traffic.
--> The traffic is sent to every switchport
If I monitor the traffic on ANY switchport, I see all the unicast-packets, that where routed by the fortigate.
If I ping the fortigate from the destination IP, the problem stops instantly.
Do you have any idea, what happens there?
For me, the Fortigate seems to "forget" to use the ARP-table for those packets. If I have "incoming" traffic (destination=fortigate), that ARP seems to work fine.
The ARP for one test-server:
#diagnose ip arp list | grep 10.49.0.48 index=34 ifname=DMZ-HO-Bond 10.49.0.48 00:50:56:89:xx:xx state=00000004 use=369512 confirm=372713 update=368876 ref=4
Thank you for your help!
KPS
Labels:
- Labels:
-
5.6
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This applies to spanning tree only. What type of switches do you have what model ? Very odd you don't have that command? Perhaps its because of the age of your OS ? Why do you run such an old release ? The idea here is you want the Fortigate as root.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think, we are talking about different things:
I am not using Fortinet-Switches. I am using Dell and Arista with RSTP enabled.
The system version of my fortigates is 5.6.9 - not very old, but I am not using them as switches.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No we are talking about the same thing so you do have spanning tree turned on for the switches it seems. So yeah you'll need to see why your OS doesn't include the config stp. I've had great success with version 6.0.4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tomorrow, I will remove one port of the bond to test, if the bond is involved in the problem.
5.6.6 did not show that behavior...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats a good test. Make sure you don't have any health monitors to trigger a failover.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI!
I removed the "redundancy-link", but the problem is still there and very strange.
According to the docs, ARP-Cache should be at least 5 minutes, but that is not the case.
Test:
Ping "over Fortigate" to ip.
--> get system arp | grep IP --> Entry exists after ping:
get system arp | grep 10.49.0.51
10.49.0.51 0 00:50:56:96:49:b2 DMZ-HO-Bond
61 seconds later, the ARP-entry is away:
fg200e_HZ_1_1 (root) # get system arp | grep 10.49.0.51
Thank you and best wishes
KPS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You mentioned this link is a "bond" then also mentioned "redundant link". Do you know which one you're using?
You can check with "diag netlink aggregate list"
How are your switches configured? Are they stacked or using MCLAG? How do you physically have them connected?
Typically, I see unicast flooding in environments where the MAC/ARP timers have been incorrectly configured, or where there is asymmetry. Are you doing any routing on your Arista/Dell switches?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I am only using "redundant" interfaces (active-passive) and so, there is no config on the switches for LAGs, etc.
The switches are not doing any routing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why use a redundant link? I never even heard of this, can you show us your interface config? This might be part of the issue and maybe it was or was not going up prior to the upgrade and now you're seeing or noticing it.
I would also check for "local switch mac address table" for mac-addr flapping. I 'm betting the member links are and persistent with the layer2 mac-table of the switch.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I am a bit confused. I use redundant interfaces (Type: Redundant Interface) for years to avoid problems, if a switch fails.
I can confirm, that there is no outgoing traffic on the secondary link and that mac-address-tables are stable.
Don't you use redundant interfaces??
...and the config
edit "DMZ-HO-Bond"
set vdom "root"
set ip 10.49.0.2 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type redundant
set explicit-web-proxy enable
set member "port3" "port4"
set role lan
set snmp-index 29
next
Related Posts
- WAF signatures 22 Views
- Deep inspection with streaming media 119 Views
- NO internet connection when using static... 395 Views
- free vpn client certificate problems 199 Views
- SSL VPN on LTE Disconnecting Frequently 125 Views
Labels
-
FortiGate
6,541 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiAuthenticator
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.