Master/Slave fortigate problem weird behaviour with OSPF
firstable i want to apologize for my bad english, it is my third language,and i am still a student so please bare with me here.
i have an unusual issue regarding OSPF and the master fortigate
1-i have configured two core L3 switches with the following :
-core1 : creating 4 intervlans with the ip of 192.168.X.2 while x is the number of vlan
-core2 : creating 4 intervlans with the ip of 192.168.X.3 while x is the number of vlan
configuring hsrp on both cores and increasing the priority of vlan 10 and 30 on core1 and increasing the
the priority of 20 and 40 in core2 , i did that so i can load balance the traffic coming from the vlans to the core L3switches
-core1 : i have configured an ethernet interface facing the firewall with an ip of 10.10.1.2/24 and the interface facing the edge router is a switchport
-core2 : same configs except for the ip is 10.10.1.3/24
i have configured ospf on both core L3switches and it formed neighborship with the fortigate and i advertised the vlans 192.168.x.0/24
ON the fortigate side :
first,i configured PORT1 as a LAN port facing the L3switch with an ip of 10.10.1.1 BLUE LINE IS THE INSIDE NETWORK,and PORT2 as a WAN port facing the edge router with an ip of 172.16.100.4. GREEN LINE IS THE OUTSIDE NETWORK
i have configured the two firewalls to use HA setting the mode to ACTIVE/ACTIVE and making the priority high on the right side so it would be the master fortigate .
now all the configs i do on the master fortigate it would be cloned on the slave
when i configured OSPF though on the MASTER it formed a neighborship but i cannot reach the 192.168.x.0/24 network there are no entry for it in the routing table , but when i shutdown the master fortigate and the i accessed the slave all the configs were there and the 192.168.x.0/24 was on the routing table learned from OSPF.
also i tried creating a loopback on the coreswitch and when i advertised it the right fortigate learned it from ospf with no problems
the second problem is that when i created a static route from the master fortigate to the 192.168.x.0/24 network i had to set the next hop interface to 10.10.1.2 and the slave cloned the static router but it wont work on it because it has no connection to 10.10.1.2 interface only 10.10.1.3
and if i shutdown the right fortigate and access the left one and create the static route to reach 192.168.x.0/24 through 10.10.1.3 it would send this config to the other one and override the first static route through 10.10.1.2
PS: that red stretched circle is representing a BVI
So, regarding OSPF. As you said, neighborship was established on primary FortiGate, was the OSPF status FULL? Or some other state? If the status was full, did you see some entries in ospf database?
#get router info ospf database brief
First we need to verify if FortiGate's OSPF database is populated and then we can verify, why there are no routes in routing-table.
Regarding your second point. Yes, in A-A or A-P HA scenario, config is synchronized, so if you configure default-route with next-hop of a 10.10.1.2 it will be synchronized. You could use also HSRP here, so you would have next-hop 10.10.1.1 for example (HSRP VIP). This could work because in case Core1 will go down, you might monitor link connected to Core1 switch and if link would go down, failover to FortiGate2 will happen and traffic will be flowing via Core2-FortiGate2.
the problem is that the two ports connecting the core L3switches is trunk ports combined in a channel group , i have no direct connection between the 10.10.1.3 and the 10.10.1.2 , when i configured the hsrp both are active and no the standby is unknows , i think i have a sloppy design or something , i tried a ducktape solution though , i connected the two cores with another link besides the portchannel and i Bridged the interface facing the firewall with the interface connected to the other core and i gave it one ip 10.10.1.2 , same configs on the other core , the hsrp worked fine one active and the other is standby but no ping between them ! is that even possible ?
the blue line represents the link involved on the BVI
i noticed also that when i run the command #bridge 1 protocol
i have no option for ieee , only dec,ibm and vlan bridge
If you are using the link between the Core switches as a heart beat (like a monitoring link) you can make a L3 etherchannel with a /30 network, it would probably solve your HSRP problem, and if you configure the priority and preemption parameters right they will be active - standby.
if you have both hsrp in active, you have a problem in the communication, between them. Also they should be able to ping each other.
Your English is fine, no need to apologize. I will try to help you achieve your objective.
So from a network design perspective, you could have a more efficient design by placing the FortiGate's in-line with the Routers and the core switches (so you don't have traffic coming back and forward, and would have less load on the core switches, but this is just my 2-cents).
Regarding OSPF, are you sure that the networks on the FortiGate are not there ?
You can use the cli command:
get router info routing-table database -> this will show all the routes in the table, even inactive ones (some times due to administrative distance, some routes will not be active).
get router info ospf database brief -> to see all the LSA that the FortiGate haves.
It seems to me that you are using GNS3, some times you may have all the correct configs, but thins some time do not work, some times a reboot makes things work.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.