Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DamianE
New Contributor III

Created on ‎10-30-2023 05:20 PM

HSRP with Fortigates HA Transparent mode

We have this topology and we are having connectivity problems to get from the LANs (below) to the WANS (above). The L3 Nexus Switches are using HSRP, so each one has its own IP and the virtual one floats between them. In the case of the catalysts, they are in a stack and have a single IP.

The problem is that we have connectivity for about 5 minutes but after that time the services drop. We perform a clear arp on the catalysts, and we recover connectivity for another 5 minutes and then it drops again.

We eliminate the firewall cluster and connect the Nexus to the Catalyst directly and everything works ok.

We suspect that firewalls are not letting HSRP's gratuitus ARPs through.

 

image.png

 We foun this article 

 

Technical-Tip-Transparent-mode-with-VRRP-HSRP-or-Network-Load 

 

But we have some differences: The connection with the HSRP in the Nexus is through a vlan in port1, the same vlan in the port2 to the catalyst (both are in the same forward domain)

 

Wich is right config: 

Option 1

config system mac-address-table
     edit VIRTUAL_MAC_HSRP
     set interface "port1"
end

Option 2

config system mac-address-table
     edit VIRTUAL_MAC_HSRP
     set interface "VLAN_NAME"
end
If it is none of these options, how could I do trobleshooting? or may be is another problem?
Labels:
2527
0 Kudos
1 Solution
Ricky-W
New Contributor

Created on ‎11-02-2023 03:56 AM

You must use "option 2". I had a similar issue in an installation (FG600F), but in that case no traffic could pass through the transparent VDOM, and the FortiGate refused to learn the HSRP mac-address. After static added the HSRP mac-address as option 2, it started to work.

View solution in original post

2460
4 REPLIES 4
AEK
SuperUser
SuperUser

Created on ‎10-31-2023 01:56 PM

Try allow all traffic on the firewall, just to test.

AEK
AEK
2490
Ricky-W
New Contributor

Created on ‎11-02-2023 03:56 AM

You must use "option 2". I had a similar issue in an installation (FG600F), but in that case no traffic could pass through the transparent VDOM, and the FortiGate refused to learn the HSRP mac-address. After static added the HSRP mac-address as option 2, it started to work.

2461
DamianE
New Contributor III
In response to Ricky-W

Created on ‎11-02-2023 04:26 AM

Yes I could try yesterday and its worked with option 2.

 

How do you establish that the Forti refused to learn the HSRP MAC, becuase before and after i tryed to do an "get sys arp" and couldnt saw de MAC of de HSRP.

 

Thanks!!!

 

 

2449
0 Kudos
Ricky-W
New Contributor
In response to DamianE

Created on ‎11-02-2023 06:16 AM

Use command "diagnose netlink brctl name host root.b" to show mac address table, where "root" is the VDOM name. In this case, the root VDOM. 

For more information, see:
Checking the bridging information in transparent mode | FortiGate / FortiOS 6.2.15 | Fortinet Docume...

2440
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.