Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asingh07
New Contributor

Created on ‎03-08-2024 07:16 AM

VRRP ISSUE

I am having problem with VRRP configuration between two fortigate firewall. if i ping towards VIP in vrrp from another vlan and it sends toward bakup interface of vrrp then I dont see response coming back. Anyone aware of this issue and how to rectify this.

Labels:
665
0 Kudos
13 REPLIES 13
AEK
SuperUser
SuperUser

Created on ‎03-08-2024 08:22 AM

Hi

Is the VIP in the same subnet as the physical IP?

Can you share your vrrp config?

AEK
AEK
505
asingh07
New Contributor

Created on ‎03-08-2024 09:04 AM

Yes VIP is in the same subnet as the physical IP

 

501
0 Kudos
AEK
SuperUser
SuperUser
In response to asingh07

Created on ‎03-08-2024 12:12 PM Edited on ‎03-08-2024 12:12 PM

If the source and destination VLANs are separated by the firewall you need a firewall policy to allow this traffic.

AEK
AEK
482
asingh07
New Contributor

Created on ‎03-08-2024 12:28 PM Edited on ‎03-08-2024 12:30 PM

Firewall Policies are also created between both vlans. I can see in logs that traffic is going through that policy and it is not getting denied. But it show that traffic sent 50B/0 but 0 in received bytes. This is not the problem for primary FWA but only the FWB which has VRRP backup interface.

479
0 Kudos
AEK
SuperUser
SuperUser
In response to asingh07

Created on ‎03-08-2024 12:38 PM

If I understand well, the traffic is coming from firewall A while the VRRP VIP (primary) is on firewall B? If this is the case then what do you see on firewall B when you sniff traffic while pinging?

diag sniffer packet any 'host x.x.x.x' 4

Otherwise can you elaborate more?

AEK
AEK
477
asingh07
New Contributor

Created on ‎03-08-2024 12:54 PM

No VRRP VIP primary is on Firewall A and Secondary is on Firewall B

 

475
0 Kudos
AEK
SuperUser
SuperUser
In response to asingh07

Created on ‎03-08-2024 09:41 PM

Try this on both firewalls while pinging:

diagnose debug flow filter addr x.x.x.x

diagnose debug flow filter proto 1

diagnose debug flow show function-name enabled 

diagnose debug flow show ipprobe enabled

diagnose debug flow trace start 100

diagnose debug flow enabled

AEK
AEK
445
Toshi_Esumi
SuperUser
SuperUser
In response to asingh07

Created on ‎03-10-2024 06:16 AM

You need to draw a good diagram including the interface with VRRP as well as the source VLAN with two routers(FGTs). If the VLAN interface(IP) exists on both FGTs and the souce devices on the VLAN is physically connected to the FGT-B, the ping packet would go like below:

source device->coming in FGT-B's VLAN interface->going out from FGT-B's VRRP interface(backup)
  -> coming in FGT-A's VRRP interface(primary) and hit the VRRP IP

then returning packets are trying to go out via FGT-A's VLAN interface, which would be dropped because returning interface is different from the coming-in interface; Reverse patch check, fail.

 

There is no good way to fix if the settings are done in that way, other than removing the VLAN from one of those two FGTs.

 

Toshi

410
asingh07
New Contributor
In response to Toshi_Esumi

Created on ‎03-18-2024 07:01 AM

your reply makes sense to me. I guess that is what exactly happening and you right about that packet is dropped because of different returning interface. Is there a way to fix this issue or any suggestions to change in settings for this to work.

332
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.