Hello everybody,
I hope you'll be able to help me resolve an issue with FWB in True Transparent Proxy (TTP) mode deployed on VMware vSphere 5.5. Firmware version: 5.37-FW-build0478. This is a new installation.
I've deployed the FWB as instructed in the VM deployment guide (http://docs.fortinet.com/d/fortiweb-5-3-5-vm-install-guide). This is the diagram:
The problem is, my Web Server is loosing connectivity. At first, the pings were failing sporadically, but then after a while - they simply stopped. Then they are successful again for a while and disappear again randomly - much like flopping.
When I connect the Web Server to the Prom port group, the connectivity is stable, but as soon as I put it back on the Prom_internal, it starts causing problems again. As you can see, port2 and port3 are joined in the bridge, so I really don't see how the FWB could be problematic in this case.
My guess is that the problem is in the NIC teaming. There are two VMNICs on the vSwitch0, 'Route based on the originating virtual port ID' is selected for Load Balancing, and they are both Active Adapters. Physical switches (Switch [strike]2[/strike]1 and Switch 2) are independent (not in a cluster).
But, I really do not understand what exactly is causing this problem. I tried changing the Load Balancing method to MAC hash and Explicit Failover - did not work. I even tried changing the Failover Order, leaving only one VMNIC as active adapter and putting the other as Standby - did not work.
I'm really baffled by this. Especially because the exact same FWB configuration - when restored in my lab environment - works like a charm. My lab environment differs from the production only in that my ESXi hosts have only 1 NIC active, so there's no NIC teaming and Load Balancing. Off course, there is also only one physical switch (CBS) to which all my ESXi hosts connect.
UPDATE: I determined that it is definitively caused by redundant physical links, but I don't understand why. When there's only one VMNIC on the vSpwitch0, everything works OK. As soon as I add one more VMNIC, everything just breaks.
I've tried again changing the Load Balancing mode and Failover Order, moving the secondary VMNIC all the way down to Unused Adapters - it's not helping. The only way to make it work is to remove redundant VMNICs from the vSwithc itself.
Anyone has any ideas?
This is a screenshot of the situation when only one VMNIC is attached to the vSwith0 (as illustrated on the diagram, please ignore the vSwitch name on the scrrenshot).
As you can see here, as soon as I add one more VMNIC to vSwitch0, the PING to the Web Server stops.
Any ideas? I don't think it is some new bug, I've tried with the firmware version 5.4.2 (actually depicted on the screenshots above) as well as the GA.
