Hi Community,
I am trying to set up HA for my two FortiGate VMs running on VMware environment on OVH cloud dedicated servers. The FortiGate VMs are running on diffrenet datacenters in OVH.
Problem I am running is automatic move of the WAN/failover IP from one dedicated server to another. OVH recommends use of:
My goal is to achieve active-passive failover between the two FortiGate while maintaining the same public IP.
There is no issue is configuring the VMs from the VMware side to accept promiscuous mode, issue is on the cloud provider on how they handle the WAN/failover IP.
Question: Has anyone encountered such a design? Is CARP feasible? Any idea on how to set up the this HA
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello techdsmart,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello techdsmart,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
FGT does not support CARP. It uses its own proprietary—but very similar—protocol, FGCP.
FGCP works by using a virtual MAC address on the interfaces that is shared between the two FortiGates. This vMAC will ARP for the IP address configured on that interface. So if you have two FortiGates at two different data centers with two different public IPs it will be difficult to get this right.
Can you explain how the public IP moves from one DC to the other?
OVH recommends CARP. Can you get them to explain how CARP can be used in this scenario? Beacuse if so we can very likely translate it to FGCP.
Hi,
Sorry for late reply.
IP move is done via an API (internal to OVH), customers have a control panel where they can do it manually or via an API. More info here: https://help.ovhcloud.com/csm/en-dedicated-servers-ip-fo-move?id=kb_article_view&sysparm_article=KB0...
They seem to support CARP and from the KB articles shared by them, CAAR seems to work for NetGate Firewalls since they even have a dedicated interface that works for CARRP.
I don't see anything in that link that talks about CARP. CARP works pretty much the same as Fortinet's FGCP. Again it uses a virtual MAC to assign an IP address to a specific box that is active. Can you point to OVH documentation where they talk about using CARP in this scenario? We can extraoplate from that for FGCP.
If you are using OVH Cloud to move an IP address from one instance to another instance via API then very likely these two FortiGates will need to operate independently.
There might be other options though. Do you run the same internal subnet between the two OVH Datacenters? Or is it completely separate on both sides?
OVH doesn't provide any documentation on CARP but its pretty much active since at this point we always associate (from OVH control panel) the FGT WAN interface MAC to the IP we need to use. So if i move the IP to another box, i have to associate another MAC to the IP. The main issue here is currently if we set up HA between the FGT instances, we have to move the WAN IP one instance to another instance via API or manually. The IP move in OVH is not instant meaning a downtime of up to 5 minutes would be experienced; looking for a set up that would avoid moving the IP altogether since they don't provide any other option.
Yes, i run the same internal subnet between the two OVH Datacenters all traffic controlled by one FGT box.
You have previously said:
"OVH recommends use of...Common Address Redundancy Protocol or CARP"
and
"They seem to support CARP and from the KB articles shared by them, CAAR seems to work for NetGate Firewalls since they even have a dedicated interface that works for CARRP."
And now you say "OVH doesn't provide any documentation on CARP".
So which one is it?
But do keep in mind if you enable FGCP and put the FGTs into HA mode, they will create a new viftual MAC on the WAN interface that you can associate the public IP to. That virtual MAC will automatically shift to the secondary node during failover.
Now, I have no idea if OVH Cloud will automatically move the public IP to the other DC for you..... they probably won't.
Hi Graham,
In response to "OVH doesn't provide any documentation on CARP", i meant there is no official documentation apart from discussions on their community pages and the discussion was in response to NetGate customer.
Thanks for the response . I will try to set up the FGTs in HA and try associating the virtual mac with the public IP and see if it works
I am really running out of options since this OVH Cloud set up is really f***d up. Do you think its possible to achieve HA with two FGTs with different WAN IPs and a Load Balancer?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.