hi all
we have an issue with two Fortinet firewall in production mode (Fortinet A and Fortinet B).
We followed these manuals:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPFailover.ht...
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPEx1.htm
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-availability/HA_VRRPEx2.htm
and configuring priority 255 in both routers (Fortinet A and Fortinet B) leads into a split-brain situation. can someone please help us with this issue and explain why this behavior?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Priority should not be set the same for both nodes, try to change the priority of the secondary to a lower value like 100.
hi, thanks for you quick answer. we already tried.
setting priority to 100 in both nodes NO split-brain situation.
Fortinet A --> Priority 100
Fortinet B --> Priority 100
=
No split-brain
Why I don't get the same behavior with priority 255?
It should be related to the preempt logic, the node that has 255 will not give up to the role.
I think it's mentioned here: VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal).
ok. so in FortiOS the definition of preempt is when I manually configure priority=255 via CLI; is that right?
In this case, what's the utility of "preempt" option in FortiOS?
I suggest your to remove the "preempt" option from FortiOS and just allow users to configure priority=255 via CLI; this should be more clear and not leads into the problems/misunderstanding we have had.
No, I think that "priority 255" is treated the same for all the vendors that use standard VRRP. You can still configure preempt as shown in the guide, (I may have choose the wrong word to describe the logic), this should be related to the Master election.
A node that has 255 will always think that is the master. If both routers will have the same priority (other than 255), an election is triggered and a master is chosen, the losing node will accept the result :)
hi, I mostly agree with you - other than the word "loosing", I don't know what it means.
>> No, I think that "priority 255" is treated the same for all the vendors that use standard VRRP.
I don't know how others vendors thread VRRP protocol implementation or the Primary election, but I was not aware that 255 has a different meaning for FortiOS.
For the moment I will not mark this post as "Solved", before, I will try your suggestion with one FortiOS router and Cisco. VRRP is a interop protocol so it must work in the same manner.
Created on 07-05-2024 02:14 PM Edited on 07-05-2024 02:16 PM
Based on RFC 5798, priority value 255 and 0 are reserved.
https://datatracker.ietf.org/doc/html/rfc5798
Priority Priority value to be used by this VRRP router in Master election for this virtual router. The value of 255 (decimal) is reserved for the router that owns the IPvX address associated with the virtual router. The value of 0 (zero) is reserved for the Master router to indicate it is releasing responsibility for the virtual router. The range 1-254 (decimal) is available for VRRP routers backing up the virtual router. Higher values indicate higher priorities. The default value is 100 (decimal).
Cisco's doc says below:
"If a VRRP router owns the virtual IP address and the IP address of the physical interface, this router functions
as the primary. The priority of the primary is 255"
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/unicast/configuration/gui...
So if one of member routers have priority 255, the others can't have the same 255. I never knew about this spec until now (for last 20 years).
You'd better not using 255 but stick to 1-254 range.
Toshi
>> So if one of member routers have priority 255, the others can't have the same 255.
How FortiOS prevent this situation?
In this case it should be treated as a misconfiguration and since both nodes are configured separately, it can't be prevented. If the design doesn't need this feature "always primary/master" than it should not be configured with priority 255.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1071 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.