Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ddskier
Contributor

OSPF - Point to Point Failover

We currently have two point-to-point lines that connect our main office to our Collocation center. We primary force all traffic over the main point-to-point using static routing. (We do have some traffic going over the backup line via a policy route.) We are currently using the Detect Server (Ping) feature of the Fortinet units to know if the main point-to-point is down. The problem that we are running into is that we would like to move towards dual stacked IPv4 and IPv6, however, the Fortinet has no plans to support Detect Server feature for IPv6. So I was thinking about moving to a routing protocol setup like OSPF to accomplish the same thing as the Detect Server. Is this possible using OSPF with two point-2-point links that connect to the same two end points? Or does anyone have an alternative method?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
26 REPLIES 26
rwpatterson
Valued Contributor III

You could advertise the default gateway from the colo FGT and that should populate the OSPF database throughout. Caution, you advertise all static routes or none, so if there are some you wish to remain hidden, that' s not a great option.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ddskier

The interesting this is that I have OSPF set to advertise the static routes, but the default Internet route isn' t showing up. Here is the " Colo" OSPF config for my test Fortinet: #config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 192.168.0.0 255.255.0.0 next end config ospf-interface edit " OSPF1" set dead-interval 20 set interface " port6" set network-type point-to-point next edit " OSPF2" set cost 250 set dead-interval 20 set interface " port8" set network-type point-to-point next end config redistribute " connected" end config redistribute " static" set status enable set metric 15 end config redistribute " rip" end config redistribute " bgp" end config redistribute " isis" end set router-id 192.168.100.1 end Here is the static route configs: #config router static edit 1 set device " port9" set gateway 172.16.1.129 set weight 50 next edit 3 set device " port11" set distance 5 set dst 10.10.0.0 255.255.0.0 set gateway 172.16.4.1 set weight 50 next edit 5 set device " ssl.root" set distance 8 set dst 10.12.254.0 255.255.255.0 set weight 50 next end Here is the output of the " Corp" Fortinet: #get router info routing-table ospf O E2 10.10.0.0/16 [110/15] via 192.168.100.1, port1, 00:00:34 O E2 10.12.254.0/24 [110/15] via 192.168.100.1, port1, 00:00:34 Notice there isn' t a default route. Any ideas?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier

I figured out the issue with the default route: On the " Colo" firewall you need to add the following line to the OSPF config: " set default-information-originate enable " Afterwards the OSPF routing table on the Corp firewall looked like the following: O*E2 0.0.0.0/0 [110/10] via 192.168.100.1, port1, 00:00:01 O E2 10.10.0.0/16 [110/15] via 192.168.100.1, port1, 00:30:23 O E2 10.12.254.0/24 [110/15] via 192.168.100.1, port1, 00:30:23 Thank everyone for all your help with this!

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier

Argh. I spoke to soon the " " set default-information-originate enable " option isn' t availabe for IPV6 under MR2 Patch 11. I may have to open a ticket with Fortinet to figure out how to work around this issue, as the option is there under MR3.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier

Got it finally working. A static IPv6 route was screwing up the OSPF routes. Thanks everyone for your help.

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
ddskier

New question for you guys on the OSPF setup: I have OSPF up and running and everything is working great with failover from one line to the other. However, is there a way so that I can use both lines simultaneously for different types of traffic? I was able to get both routes to show up in the routing table when I set the costs on the OSPF interfaces to exactly the same. Then I was able to direct which traffic should use a specific line via policy routers, however, I think the policy routes will break the failover correct? Because the policy route will want to force the traffic down an specific interface even though the line is down. Any thoughts on how I can address this? P.S. - Would IS-IS give me more flexibility?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
rwpatterson
Valued Contributor III

I believe the policy routes are ignored if the interface is down.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors