hello all,
I've got a pair of FG-200B running v4.3.18 in A-P HA mode. Each cluster member is at a different location, HA links are across a dedicated line. On each site, there is one Cisco access router (19xx) in front of the FGT providing WAN access. These routers form a VRRP pair. (No VRRP for the FGTs as config sync is requested.)
Now, when the WAN line on one site closes down the routers fail over in about 15 s. But, as the link status of the FGT WAN port does not change, the FGTs do not fail over. So I configured a pingserver (gwdetect) on the FGT which is the next hop router.
That doesn't work as expected though. When one WAN line is down, the FGT still can reach the next hop router because the Ciscos have failed over, providing internet access across the HA link line. That's a catch22 I guess.
One solution would be that the router, when detecting it has to fail over, pulls it's port to the FGT down. FGT would sense a link failure and fail over as well.
Question now is: how is that configured on a Cisco router? Is it common, or arcane? Or do you have other suggestions how to synchronize the VRRP failover with a HA failover?
Any input dearly appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I already had a feeling that was the main reason for VRRP, the WAN side of the routers.. Maybe you can have a look at: https://supportforums.cisco.com/discussion/10794236/shut-interface-if-no-ping-response-using-ip-sla-...
They combine IP SLA tracking with an EEM script to bring an interface down. Pay extra attention to posts 2 and 3, if you want to use this it requires some editing for your environment.
Did you have any luck so far with this issue?
Not really, it still lingers for a solution.
On the Cisco side, EEM would be the means, event driven scripting. But, as the Cisco is managed by a big, world-wide ISP, they will probably reject the idea that they should implement this - "non-standard process". Unless my customer pays a lot of $$$. Technically, it looks like it's nothing overly complicated.
This leaves me with the scenario that I block anything but the HA and VRRP hello traffic across the dedicated line between the DCs. Either with a hardware FGT in Transparent mode, or a VDOM on one of the FGTs. Or I will have to think about a symmetrical solution with 2 VDOMs, one on each FGT.
Haven't made up my mind yet, but I will keep you posted.
Have you had any help in CISCO forums?
You do know this was posted over 2 years ago ;)
PCNSE
NSE
StrongSwan
Yet...still unsolved!
It's a shame, and unnecessary as well. Pulling the internal link down in the event of failover would be easy and reasonable. The ISP just doesn't move a finger to solve this.
After such a long time, my customer is planning to reunite the cluster units in one place, that is, change a whole bit. I still feel the scenario (HA cluster with external VRRP routers in front) is not that extraordinary. I would like to solve this but any solutioin has to be on the FGT side only.
Thanks for keeping an eye on this, anyway. Anybody else running this setup?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.