Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
5q46n2te8jPWJY
Contributor

Created on ‎10-22-2024 09:36 AM

Issue with Cross-VLAN Communication over VXLAN/IPSEC between Two Sites

Hello,

 

I am encountering an issue with my configuration that I am unable to resolve.

 

I have two sites connected with VXLAN over IPSEC. On each of my sites, I have two VLANs (VLAN 10 and VLAN 20).

 

VXLAN Fortigate.drawio.png

 

Here are my tests:

 

  • SITE A / VLAN 10 successfully pings SITE B / VLAN 10
  • SITE A / VLAN 20 successfully pings SITE B / VLAN 20
  • SITE A / VLAN 10 successfully pings SITE A / VLAN 20
  • SITE A / VLAN 20 successfully pings SITE A / VLAN 10
  • SITE B / VLAN 10 successfully pings SITE A / VLAN 10
  • SITE B / VLAN 20 successfully pings SITE A / VLAN 20
  • SITE B / VLAN 10 successfully pings SITE B / VLAN 20
  • SITE B / VLAN 20 successfully pings SITE B / VLAN 10

However,

 

  • SITE A / VLAN 10 cannot ping SITE B / VLAN 20
  • SITE A / VLAN 20 cannot ping SITE B / VLAN 10
  • SITE B / VLAN 10 cannot ping SITE A / VLAN 20
  • SITE B / VLAN 20 cannot ping SITE A / VLAN 10

Do you have any idea why?

 

Thanks for your help!

Labels:
1055
0 Kudos
1 Solution
5q46n2te8jPWJY
Contributor

Created on ‎11-21-2024 04:01 AM

Thank you to the TAC support engineers who, after quite a bit of investigation, detected a duplicate MAC address between the two FortiGate devices.

 

A big thank you as well to everyone who helped me with the search!

View solution in original post

44
0 Kudos
19 REPLIES 19
funkylicious
SuperUser
SuperUser
In response to 5q46n2te8jPWJY

Created on ‎10-26-2024 12:01 AM

i havent updated the images in eve for quite a while, so a older version 6.4.12 

"jack of all trades, master of none"
"jack of all trades, master of none"
396
0 Kudos
5q46n2te8jPWJY
Contributor
In response to funkylicious

Created on ‎10-26-2024 02:32 AM

Here the result of diagnose netlink brctl name host <>

 

I have nothing in result table...
 
FGVM02 (global) # diagnose netlink brctl name host <>
show bridge control interface <> host.
fdb: hash size=0, used=0, num=0, depth=0, gc_time=0, ageing_time=0
Bridge <> host table

FGVM02  (global) #

But if I run : diagnose netlink brctl name host VXLAN20-SW

FGVM02-SITE-A (global) # diagnose netlink brctl name host VXLAN20-SW
show bridge control interface VXLAN20-SW host.
fdb: hash size=32768, used=9, num=9, depth=1, gc_time=4, ageing_time=300, simple=switch
Bridge VXLAN20-SW host table
port no device  devname mac addr                ttl     attributes
  2     70      VLAN_20        ce:a4:d5:16:16:92       1        Hit(1)
  1     68      VXLAN_20       b6:77:45:59:52:54       0       Local Static
  2     70      VLAN_20        c4:cb:e1:58:b4:ce       1        Hit(1)
  2     70      VLAN_20        00:09:0f:09:00:00       0       Local Static
  1     68      VXLAN_20       d6:ce:16:88:03:6b       1        Hit(1)
  1     68      VXLAN_20       90:09:d0:38:4d:f6       204      Hit(204)
  1     68      VXLAN_20       c4:cb:e1:58:ce:89       272
  1     68      VXLAN_20       90:09:d0:38:4d:90       50       Hit(50)
  1     68      VXLAN_20       64:9d:99:20:e2:84       1        Hit(1)

FGVM02-SITE-A (global) #

 I see my mac address of target (d6:ce:16:88:03:6b)

 

Ping still don't work...

379
0 Kudos
jdelafuente_FTNT
Staff
Staff

Created on ‎10-25-2024 07:01 PM

I had a similar issue few year ago, problem was in my gateways, remember if fortigate see same packet coming for second time in same direction will drop duenetwork loop, then wich and where is your gateway for each vlan?

Jonathan De La Fuente | LATAM TAC Engineer
417
0 Kudos
5q46n2te8jPWJY
Contributor
In response to jdelafuente_FTNT

Created on ‎10-26-2024 02:44 AM

On each fortigate, I have a software switch for each VLAN/VXLAN, wich is the gateway

 

Fortigate A :

VXLAN10-SW 10.1.10.254/24

VXLAN20-SW 10.1.20.254/24

 

Fortigate B :

VXLAN10-SW 10.1.10.254/24

VXLAN20-SW 10.1.20.254/24

 

Each PC can ping internet, so I think gateway are correct, isn't it ?

377
0 Kudos
jdelafuente_FTNT
Staff
Staff
In response to 5q46n2te8jPWJY

Created on ‎10-26-2024 11:21 AM

Here is the problem you have duplicated IP issue, remember it's an extended LAN same broadcast domain, you can't have same IP in FGT-A and FGT-B try this:

-> Remove interface IP in FortiGate-B, keep in FortiGate-A and try again.

Keep in mind.

You don't need IP in FGT-B communication between networks works with gateway only in FGT-A. (all outgoing traffic from FGB-B will go out through FGT-A)

In you want, it is possible to define a different IP for example VXLAN10-SW 10.1.10.253/24 but remember a network with 2 gateways represent a real network challenge to prevent asymmetric route.

Best regards.

Jonathan De La Fuente | LATAM TAC Engineer
337
0 Kudos
5q46n2te8jPWJY
Contributor
In response to jdelafuente_FTNT

Created on ‎10-28-2024 12:53 AM

Thanks,

 

In this video, it's the same configuration as mine, and it seem to work

 

https://www.youtube.com/watch?v=OTUA7olJO_o

292
0 Kudos
jdelafuente_FTNT
Staff
Staff
In response to 5q46n2te8jPWJY

Created on ‎10-28-2024 01:52 PM

- Have you tried it yet?
- Have you seen the response from user @randada1
in that video?

Jonathan De La Fuente | LATAM TAC Engineer
276
0 Kudos
jdelafuente_FTNT
Staff
Staff
In response to 5q46n2te8jPWJY

Created on ‎11-06-2024 10:29 PM

Did you solve the issue?

Jonathan De La Fuente | LATAM TAC Engineer
176
0 Kudos
5q46n2te8jPWJY
Contributor
In response to jdelafuente_FTNT

Created on ‎11-06-2024 11:16 PM

Not yet, I opened a case to TAC.

169
0 Kudos
5q46n2te8jPWJY
Contributor

Created on ‎11-21-2024 04:01 AM

Thank you to the TAC support engineers who, after quite a bit of investigation, detected a duplicate MAC address between the two FortiGate devices.

 

A big thank you as well to everyone who helped me with the search!

45
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.