Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DamianE
New Contributor III

HSRP with Fortigates HA Transparent mode

We have this topology and we are having connectivity problems to get from the LANs (below) to the WANS (above). The L3 Nexus Switches are using HSRP, so each one has its own IP and the virtual one floats between them. In the case of the catalysts, they are in a stack and have a single IP.

The problem is that we have connectivity for about 5 minutes but after that time the services drop. We perform a clear arp on the catalysts, and we recover connectivity for another 5 minutes and then it drops again.

We eliminate the firewall cluster and connect the Nexus to the Catalyst directly and everything works ok.

We suspect that firewalls are not letting HSRP's gratuitus ARPs through.

 

image.png

 We foun this article 

 

Technical-Tip-Transparent-mode-with-VRRP-HSRP-or-Network-Load 

 

But we have some differences: The connection with the HSRP in the Nexus is through a vlan in port1, the same vlan in the port2 to the catalyst (both are in the same forward domain)

 

Wich is right config: 

Option 1

config system mac-address-table
     edit VIRTUAL_MAC_HSRP
     set interface "port1"
end

Option 2

config system mac-address-table
     edit VIRTUAL_MAC_HSRP
     set interface "VLAN_NAME"
end
If it is none of these options, how could I do trobleshooting? or may be is another problem?
1 Solution
Ricky-W
New Contributor

You must use "option 2". I had a similar issue in an installation (FG600F), but in that case no traffic could pass through the transparent VDOM, and the FortiGate refused to learn the HSRP mac-address. After static added the HSRP mac-address as option 2, it started to work.

View solution in original post

4 REPLIES 4
AEK
SuperUser
SuperUser

Try allow all traffic on the firewall, just to test.

AEK
AEK
Ricky-W
New Contributor

You must use "option 2". I had a similar issue in an installation (FG600F), but in that case no traffic could pass through the transparent VDOM, and the FortiGate refused to learn the HSRP mac-address. After static added the HSRP mac-address as option 2, it started to work.

DamianE
New Contributor III

Yes I could try yesterday and its worked with option 2.

 

How do you establish that the Forti refused to learn the HSRP MAC, becuase before and after i tryed to do an "get sys arp" and couldnt saw de MAC of de HSRP.

 

Thanks!!!

 

 

Ricky-W

Use command "diagnose netlink brctl name host root.b" to show mac address table, where "root" is the VDOM name. In this case, the root VDOM. 

For more information, see:
Checking the bridging information in transparent mode | FortiGate / FortiOS 6.2.15 | Fortinet Docume...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors