Hi all,
you can see the network diagram.
I found out that active failover is not working when I do VRRP with a FortiGate appliance (60F) and a H3C router.
On the FortiGate (Master):
config system interface
edit port1
config vrrp
edit 1
set vrip 192.168.1.1
set priority 255
set vrdst 8.8.8.8
set vrdst-priority 10
[ul]
I heard this feature only works on 2 FortiGate forming VRRP, but I proved it fails too in my lab with 2 FortiGate appliance.
SO, have everyone tried the active failover and succeeded before?
Please help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't remember well when I was testing this years ago and decided not to use. But VRRP's vrdst setting doesn't cause the FGT to ping the destination. It monitors the route to the destination instead. I'm not sure if it's specified in the RFC. Below KB uses a blackhole route but needs the interface(vpn) do go down. I would suggest you try combining a link-monitor to take the static routes down including the default route.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44632
I don't remember well when I was testing this years ago and decided not to use. But VRRP's vrdst setting doesn't cause the FGT to ping the destination. It monitors the route to the destination instead. I'm not sure if it's specified in the RFC. Below KB uses a blackhole route but needs the interface(vpn) do go down. I would suggest you try combining a link-monitor to take the static routes down including the default route.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD44632
Thanks, Toshi.
In fact, I am using link monitor currently in my production environment as a workaround (either remove the default route or bring down the VRRP master's participating interface).
I have never seen the document you put before, thank you. I feel that the active failover is bugged when the vrdst IP address is using the default route and Fortinet couldn't care less.
I tried contact their TAC but you already know what they said.
Hope this post can help others who are looking for a VRRP active failover troubleshooting solution.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.