a question: I have two fortinet working in VRRP each fortinet is connected to different switch trunked with lacp. The configuration of two firewall is fine but they are at the same time master . They exchange some messages between them 22.214.171.124 (protocol 112) but nothing they remain master both. I tried to ping from one switch the physical ip address of the other but nothing . From each switch we can see only the virtual IP that is the virtual ip of the local firewall . The switches are trunked well.
I wonder if It is mandatory to use with VRRP proxy-arp configuration because I suspect that arp do not resolve the physical IP of the firewalls connected to the other switch.
switch 1 connected to firewall 1
switch 2 connected to firewall 2
switch 1 and switch 2 trunked
I checked with get info router vrrp of both everything is fine but do not resolve the arbitrage who is master who is slave, probably because they do not see each other due to some arp problem.
What is the role of proxy-arp in vrrp in this case they can work without?
OK it looks like RCC_LAN is a VLAN interface. Can you confirm by doing " show full system interface RCC_LAN | grep type".
If so, this VLAN interface needs to be attached to a physical interface, such as the redundant interface.
Can you shed more light on any of the other interfaces on the FortiGate? Is there more L3 interfaces between FGT and SW? What is the nature of the "trunk" interface between the FortiGates? How does it work and how is it connected?
Now, with that said, you probably do not need the VLAN interface unless you need trunking with tagged VLAN access to a downstream switch. Given what I see here there is no tagged traffic between the FGT and the switch. If RCC_LAN is the only L3 interface on the FGT, then I suggest moving the IP configuration, including VRRP, into the Redundant interface config. Or, at the very least, assigning the RCC_LAN interface to the "SW1-SW2" interface.
config system interface edit RCC_LAN set interface "SW1-SW2" end
Given your use case, I would suggest leveraging FortiGate HA with SD-WAN to satisfy your requirements.
With FortiGates in HA, you only have one configuration to manage. With SD-WAN you can put both your WAN interfaces (and GRE tunnels) into SD-WAN interface and do your load balancing/failover using SD-WAN. There would be no duplication of multicast traffic as there is only one logical device on the network.
configure ports 29 auto off speed 10000 duplex full configure ports 30 auto off speed 10000 duplex full configure ports 31 auto off speed 10000 duplex full configure ports 32 auto off speed 10000 duplex full
# Module mcmgr configuration. # configure igmp snooping vlan "OPERATIVEDATA" ports 27 add static router configure igmp snooping vlan "OPERATIVEDATA" ports 28 add static router configure igmp snooping vlan "OPERATIVEDATA" ports 29 add static router ------------------------------------------------ Note: this is a section of switch 1 configuration consider that 27-28 are the ports connected to the redundant port 1 and 2 of firewall 29 is the main trunk that with 30 compose the trunk lacp
the other switch2 is equal to this with the same VLAN 101 and with different IP address instead of 10.140.1.161 the ip 10.140.1.162 the ports with firewall are tagged (why?)
In your Diagram, the firewalls are connected to both switches. But in your description a couple of times you mention FW1 connects to SW1 only and vice versa for FW2/SW2. Can you clarify which way it is?
yes from sw2 I cant ping 10.140.1.132 and from sw1 I cant ping 10.140.1.133 but all the other server or console located in the opposite switch yes, its only a problem with the firewall in this configuration vrrp and this avoid to be connected together to establish the right role master backup.
if I remove the cable (active) from fw2 to sw2 the backup cable connecting with sw1 become active and reach finally fw2 (10.140.1.132) but this is clear because finally the fw1 and fw2 will connected on the same switch and able to exchange the vrrp messages. In short if the active port of two firewall are in the same switch all run and not when are located on different switch.
But it is not a problem of sw trunk because the normal pc server and console see each other from any switches . If I remove vrrp I m sure that I can see the fws from any switch. it seems that arp on one switch address only the local fw not only for the virtual ip but also for physical ip of the other fw2 located on the other switch. tomorrow I will try you command
sorry I made mistake because from the switches the firewall ip address (10.140.1.131-133) are visible and ping each other so switches are ok,
but what do you expect from "diagnose ip arp list" command ? from internal firewall with this command I do not see VLAN address 10.140.1.132-133 . (redundant Port 1 and Port 2 under VLAN haven't a IP address).
and firewall continue to be master both, only if both fw in the same switch everything run ok one master one slave.
Probably if i remove the redundant capability do the fw start to run correctly?
1) yes I sow all the other address 10.140.1.x with your command
2) the port 17-18 of of firewall are connected together but not configured, in the conf file they are defined as type physical but not any other conf. Tomorrow i will apply diagnose for all your open requests.
In the worst case I could configure the firewall in HA active-backup and remove VRRP but let me to send you the info required.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.