Hello,
I am encountering an issue with my configuration that I am unable to resolve.
I have two sites connected with VXLAN over IPSEC. On each of my sites, I have two VLANs (VLAN 10 and VLAN 20).
Here are my tests:
However,
Do you have any idea why?
Thanks for your help!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you to the TAC support engineers who, after quite a bit of investigation, detected a duplicate MAC address between the two FortiGate devices.
A big thank you as well to everyone who helped me with the search!
i havent updated the images in eve for quite a while, so a older version 6.4.12
Here the result of diagnose netlink brctl name host <>
FGVM02 (global) # diagnose netlink brctl name host <>
show bridge control interface <> host.
fdb: hash size=0, used=0, num=0, depth=0, gc_time=0, ageing_time=0
Bridge <> host table
FGVM02 (global) #
But if I run : diagnose netlink brctl name host VXLAN20-SW
FGVM02-SITE-A (global) # diagnose netlink brctl name host VXLAN20-SW
show bridge control interface VXLAN20-SW host.
fdb: hash size=32768, used=9, num=9, depth=1, gc_time=4, ageing_time=300, simple=switch
Bridge VXLAN20-SW host table
port no device devname mac addr ttl attributes
2 70 VLAN_20 ce:a4:d5:16:16:92 1 Hit(1)
1 68 VXLAN_20 b6:77:45:59:52:54 0 Local Static
2 70 VLAN_20 c4:cb:e1:58:b4:ce 1 Hit(1)
2 70 VLAN_20 00:09:0f:09:00:00 0 Local Static
1 68 VXLAN_20 d6:ce:16:88:03:6b 1 Hit(1)
1 68 VXLAN_20 90:09:d0:38:4d:f6 204 Hit(204)
1 68 VXLAN_20 c4:cb:e1:58:ce:89 272
1 68 VXLAN_20 90:09:d0:38:4d:90 50 Hit(50)
1 68 VXLAN_20 64:9d:99:20:e2:84 1 Hit(1)
FGVM02-SITE-A (global) #
I see my mac address of target (d6:ce:16:88:03:6b)
Ping still don't work...
I had a similar issue few year ago, problem was in my gateways, remember if fortigate see same packet coming for second time in same direction will drop duenetwork loop, then wich and where is your gateway for each vlan?
On each fortigate, I have a software switch for each VLAN/VXLAN, wich is the gateway
Fortigate A :
VXLAN10-SW 10.1.10.254/24
VXLAN20-SW 10.1.20.254/24
Fortigate B :
VXLAN10-SW 10.1.10.254/24
VXLAN20-SW 10.1.20.254/24
Each PC can ping internet, so I think gateway are correct, isn't it ?
Here is the problem you have duplicated IP issue, remember it's an extended LAN same broadcast domain, you can't have same IP in FGT-A and FGT-B try this:
-> Remove interface IP in FortiGate-B, keep in FortiGate-A and try again.
Keep in mind.
You don't need IP in FGT-B communication between networks works with gateway only in FGT-A. (all outgoing traffic from FGB-B will go out through FGT-A)
In you want, it is possible to define a different IP for example VXLAN10-SW 10.1.10.253/24 but remember a network with 2 gateways represent a real network challenge to prevent asymmetric route.
Best regards.
Thanks,
In this video, it's the same configuration as mine, and it seem to work
- Have you tried it yet?
- Have you seen the response from user @randada1
in that video?
Did you solve the issue?
Not yet, I opened a case to TAC.
Thank you to the TAC support engineers who, after quite a bit of investigation, detected a duplicate MAC address between the two FortiGate devices.
A big thank you as well to everyone who helped me with the search!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.