- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VRRP ISSUE
I am having problem with VRRP configuration between two fortigate firewall. if i ping towards VIP in vrrp from another vlan and it sends toward bakup interface of vrrp then I dont see response coming back. Anyone aware of this issue and how to rectify this.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Is the VIP in the same subnet as the physical IP?
Can you share your vrrp config?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes VIP is in the same subnet as the physical IP
Created on 03-08-2024 12:12 PM Edited on 03-08-2024 12:12 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the source and destination VLANs are separated by the firewall you need a firewall policy to allow this traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Policies are also created between both vlans. I can see in logs that traffic is going through that policy and it is not getting denied. But it show that traffic sent 50B/0 but 0 in received bytes. This is not the problem for primary FWA but only the FWB which has VRRP backup interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understand well, the traffic is coming from firewall A while the VRRP VIP (primary) is on firewall B? If this is the case then what do you see on firewall B when you sniff traffic while pinging?
diag sniffer packet any 'host x.x.x.x' 4
Otherwise can you elaborate more?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No VRRP VIP primary is on Firewall A and Secondary is on Firewall B
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this on both firewalls while pinging:
diagnose debug flow filter addr x.x.x.x
diagnose debug flow filter proto 1
diagnose debug flow show function-name enabled
diagnose debug flow show ipprobe enabled
diagnose debug flow trace start 100
diagnose debug flow enabled
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to draw a good diagram including the interface with VRRP as well as the source VLAN with two routers(FGTs). If the VLAN interface(IP) exists on both FGTs and the souce devices on the VLAN is physically connected to the FGT-B, the ping packet would go like below:
source device->coming in FGT-B's VLAN interface->going out from FGT-B's VRRP interface(backup)
-> coming in FGT-A's VRRP interface(primary) and hit the VRRP IP
then returning packets are trying to go out via FGT-A's VLAN interface, which would be dropped because returning interface is different from the coming-in interface; Reverse patch check, fail.
There is no good way to fix if the settings are done in that way, other than removing the VLAN from one of those two FGTs.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your reply makes sense to me. I guess that is what exactly happening and you right about that packet is dropped because of different returning interface. Is there a way to fix this issue or any suggestions to change in settings for this to work.