Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

vrrp between fortinet

Hello Guys,

a question: I have two fortinet working in VRRP each fortinet is connected to different switch trunked with lacp. The configuration of two firewall is fine but they are at the same time master . They exchange some messages between them (protocol 112) but nothing they remain master both. I tried to ping from one switch the physical ip address of the other but nothing . From each switch we can see only the virtual IP that is the virtual ip of the local firewall . The switches are trunked well.

I wonder if It is mandatory to use with VRRP proxy-arp configuration because I  suspect that arp do not resolve the physical IP of the firewalls connected to the other switch.


switch 1 connected to firewall 1

switch 2 connected to firewall 2

switch 1 and switch 2 trunked 

I checked with get info router vrrp of both everything is fine but do not resolve the arbitrage who is master who is slave, probably because they do not see each other due to some arp problem. 

What is the role of proxy-arp in vrrp in this case they can work without?





2 Solutions

OK it looks like RCC_LAN is a VLAN interface. Can you confirm by doing " show full system interface RCC_LAN | grep type". 


If so, this VLAN interface needs to be attached to a physical interface, such as the redundant interface. 


Can you shed more light on any of the other interfaces on the FortiGate? Is there more L3 interfaces between FGT and SW? What is the nature of the "trunk" interface between the FortiGates? How does it work and how is it connected?


Now, with that said, you probably do not need the VLAN interface unless you need trunking with tagged VLAN access to a downstream switch. Given what I see here there is no tagged traffic between the FGT and the switch. If RCC_LAN is the only L3 interface on the FGT, then I suggest moving the IP configuration, including VRRP, into the Redundant interface config. Or, at the very least, assigning the RCC_LAN interface to the "SW1-SW2" interface. 


config system interface
  edit RCC_LAN
    set interface "SW1-SW2"

Given your use case, I would suggest leveraging FortiGate HA with SD-WAN to satisfy your requirements.


With FortiGates in HA, you only have one configuration to manage. With SD-WAN you can put both your WAN interfaces (and GRE tunnels) into SD-WAN interface and do your load balancing/failover using SD-WAN. There would be no duplication of multicast traffic as there is only one logical device on the network.


View solution in original post


HA a-p (and a-a) both do configuration sync. So you cannot have different configurations between the firewalls.


View solution in original post


Hello Graham, how are you?

I send a section of switch 1 


# Module vlan configuration.
configure vlan default delete ports all
configure vr VR-Default delete ports 1-34
configure vr VR-Default add ports 1-34
configure vlan default delete ports 1-34
create vlan "ISC"
configure vlan ISC tag 3000
create vlan "OPERATIVEDATA"
configure vlan OPERATIVEDATA tag 101

configure ports 29 auto off speed 10000 duplex full
configure ports 30 auto off speed 10000 duplex full
configure ports 31 auto off speed 10000 duplex full
configure ports 32 auto off speed 10000 duplex full

enable sharing 29 grouping 29,30 algorithm address-based L3_L4 lacp
configure vlan ISC add ports 29 tagged
configure vlan OPERATIVEDATA add ports 27-29 tagged
configure vlan OPERATIVEDATA add ports 1-26 untagged
configure vlan ISC ipaddress
configure vlan OPERATIVEDATA ipaddress

# Module mcmgr configuration.
configure igmp snooping vlan "OPERATIVEDATA" ports 27 add static router
configure igmp snooping vlan "OPERATIVEDATA" ports 28 add static router
configure igmp snooping vlan "OPERATIVEDATA" ports 29 add static router
this is a section of switch 1 configuration
consider that 27-28 are the ports connected to the redundant port 1 and 2 of firewall
29 is the main trunk that with 30 compose the trunk lacp

the other switch2 is equal to this with the same VLAN 101 and with different IP address instead of the ip
the ports with firewall are tagged (why?)


Best Regards, pierluigi


In your Diagram, the firewalls are connected to both switches. But in your description a couple of times you mention FW1 connects to SW1 only and vice versa for FW2/SW2. Can you clarify which way it is?


I confirm the diagram :

FW1: port 1 (active) connected to sw1 port 27 and port 2 (backup) connected to sw2 port 27

FW2 port 2 (active) connected to sw2 port 28 and port 1 (backup) connected to sw1 port 28

port 29-30 SW1 connected to port 29-30 SW2 -----> trunk


OK and you mention from FW1 you cannot ping FW2? i.e. FW1: execute ping


What does arp look like? On FW1 please do "diagnose ip arp list"


yes from sw2 I cant ping and from sw1 I cant ping but all the other server or console located in the opposite switch yes, its only a problem with the  firewall in this configuration vrrp and this avoid to be connected together to establish the right role master backup.

if I remove the cable (active) from fw2 to sw2  the backup cable connecting with sw1 become active and reach finally  fw2 ( but this is clear because finally the fw1 and fw2 will connected on the same switch and able to exchange the vrrp messages. In short if the active port of two firewall are in the same switch all run and not when are located on different switch.

But it is not a problem of sw trunk because the normal pc server and console see each other from any switches . If I remove vrrp I m sure that I can see the fws from any switch.  it seems that arp on one switch address only the local fw not only for the virtual ip but also for physical ip of the other fw2 located on the other switch. tomorrow I will try you command



I wonder if it has to do with the trunk between the firewalls. Can you also show output of "show iparp" from your switches?


Hello Graham,

sorry I made mistake because from the switches the firewall ip address (  are visible and ping each other so switches are ok, 

but what do you expect from "diagnose ip arp list" command ? from internal firewall with this command I do not  see VLAN address . (redundant Port 1 and Port 2 under VLAN haven't a IP address).

and firewall continue to be master both, only if both fw in the same switch everything run ok one master one slave.

Probably if i remove the redundant capability do the fw start to run correctly?

have a woderful day 


Yes from 'diagnose ip arp list' you should see the other Firewall's IP address. Do you see any IP addresses from 10.140.1.X network in Firewall IP ARP Table?


Can you show output of 'diagnose netlink redundant name SW1-SW2' from both firewalls?


Can you also show the output of 'show system interface <FW_TRUNK>' where FW_TRUNK is the name of the interface that connects the two firewalls together?


sure Graham tomorrow i will send all info.

only to reply the info collected unitl now

1) yes I sow all the other address 10.140.1.x with your command

2) the port 17-18 of of firewall are connected together but not configured, in the conf file they are defined as type physical but not any other conf. Tomorrow i will apply diagnose for all your open requests.

In the worst case I could configure the  firewall in HA active-backup and remove VRRP but let me to send you the info required.

thanks and nice evening


Hello Graham, how are you? I am using now the HA, a-p between two firewall with two different configuration. In the HA active-active instead the  firewall should have same configuration ?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors