We are looking to configure VRRP between 2 FG200E devices in standalone with the interface tracking options.
So that when for example the public facing interface goes down and the other FG200E the inside interface will follow.
We tried already with vrgrp and vrdst to make it work but so far its not working. (fw are configured using serveral VDOMs running 5.6.2)
First question, is this even possible on the 200Es? If yes how should it be configured so that both interface outside/inside will become active on the same device when either one of the 2 fails on the active device.
Thanks for having a look at it!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As long as those are individual interface, like port1, port2,..., VRRP should work throughout FG models. What do you get with "get router info vrrp" on both sides?
Individual interfaces only? we have a Portchannel configured connecting to a stacked switch using subinterfaces for inside and outside subnets, using layer 2 seperation on the stacked switch.
So it could be thats not working in combination with PortChannels.
Interfaces below are subinterfaces.
Output of get router info vrrp:
Interface: Extranet-Inside, primary IP address: 10.10.10.19 UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1 HA mode: master (2:2) VRID: 2 vrip: 10.10.10.18, priority: 255 (255,10), state: MASTER adv_interval: 1, preempt: 1, start_time: 3 vrmac: 00:00:5e:00:01:02 vrdst: 10.10.10.21 vrgrp: 1 Interface: Extranet-Outside, primary IP address: 74.159.41.2 UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 1 HA mode: master (2:2) VRID: 1 vrip: 74.159.41.1, priority: 255 (255,10), state: MASTER adv_interval: 1, preempt: 1, start_time: 3 vrmac: 00:00:5e:00:01:01 vrdst: 8.8.8.8 vrgrp: 1
Other fw1
Interface: Ext-Inside-Po2, primary IP address: 10.10.10.20 UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (1:2) VRID: 2 vrip: 10.149.148.18, priority: 75 (75,0), state: BACKUP adv_interval: 1, preempt: 1, start_time: 3 vrmac: 00:00:5e:00:01:02 vrdst: 10.10.10.21 vrgrp: 1 Interface: Extr-Out-Po2, primary IP address: 74.159.41.3 UseVMAC: 1, SoftSW: 0, BrPortIdx: 0, PromiscCount: 0 HA mode: master (1:2) VRID: 1 vrip: 74.159.41.1, priority: 75 (75,0), state: BACKUP adv_interval: 1, preempt: 1, start_time: 3 vrmac: 00:00:5e:00:01:01 vrdst: vrgrp: 1
Thanks for having a look at it!
I haven't tried portchannel/LAG myself but it looks working based on the output. The first one is MASTER w/ priority 255, then the second one is BACKUP w/ priority 75. So traffic doesn't come in and flow through the first FG200E?
Traffic is arriving and being sent by the first FG200E, the problem is that when there is an issue on the outside interface for example on FG200E and VRRP is failing over successfully on the outside interface to the second FG200E. But the inside VRRP Master will be still on the first FG200E. So inside is not following the outside interface. Which is causing an issue in this design. I have tried with vrgrp and so but that doesnt seems to work very well.
Thanks for having a look at it.
Hi Kabuto,
to get the desired result of a syncronized failover of both side of VRRP I would try to use a combination of link-monitor for outside path availability end second vrdst (cli only):
link-monitor with "set update-static-route enabled" "set update-cascade-interface enabled" for outside 0/0 throght interface GW "outside" VRRP with vrdst tracking both GW and "google-keepalive" "inside" VRRP with vrdst tracking [strike]both[/strike] GW [strike]and "inside-keepalive" [/strike]
edited: (I've had the chance to verify since I was under the impression that both vrdst counted as a logical OR to the VRRP state but I was recalling wrongly..it's a logical AND so both have to fail to change state to backup!!)
The lack of support for "advanced object traking" and/or IP SLA in general is felt.
Regards,
Antonio
If I wanted to move traffic completely over the other device when only one interface goes down on the original device, I would set up HA between two and set all those interfaces to be monitored.
That is indeed an option but we cant run it in our design/environment, we have several VDOMS running where we have 1 vdom requirement that pushes it in standalone mode. If we configure it with HA (A/S or A/A) it wil be enabled on all VDOMs and will are running into issues into the other VDOMs.
Plus if it fails over for one VDOM in HA it will/might impact other vdoms within the same vcluster which is not desired.
So that is not really an options at the moment.
But Thanks for the suggestion!
Hi Antonio,
I will give that a try and let you know the outcome!
Thanks for the tips
Regards
K.
Whatever works for you that would be a solution for you. We have multiple HA clusters with multi-vdom environment. It works quite well. VRRP standard's original scope was to protect operation from an interface failure. It's not designed to protect from equipment failure. Just keep it in mind.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.