Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

vrrp between fortinet

Hello Guys,

a question: I have two fortinet working in VRRP each fortinet is connected to different switch trunked with lacp. The configuration of two firewall is fine but they are at the same time master . They exchange some messages between them (protocol 112) but nothing they remain master both. I tried to ping from one switch the physical ip address of the other but nothing . From each switch we can see only the virtual IP that is the virtual ip of the local firewall . The switches are trunked well.

I wonder if It is mandatory to use with VRRP proxy-arp configuration because I  suspect that arp do not resolve the physical IP of the firewalls connected to the other switch.


switch 1 connected to firewall 1

switch 2 connected to firewall 2

switch 1 and switch 2 trunked 

I checked with get info router vrrp of both everything is fine but do not resolve the arbitrage who is master who is slave, probably because they do not see each other due to some arp problem. 

What is the role of proxy-arp in vrrp in this case they can work without?





2 Solutions

OK it looks like RCC_LAN is a VLAN interface. Can you confirm by doing " show full system interface RCC_LAN | grep type". 


If so, this VLAN interface needs to be attached to a physical interface, such as the redundant interface. 


Can you shed more light on any of the other interfaces on the FortiGate? Is there more L3 interfaces between FGT and SW? What is the nature of the "trunk" interface between the FortiGates? How does it work and how is it connected?


Now, with that said, you probably do not need the VLAN interface unless you need trunking with tagged VLAN access to a downstream switch. Given what I see here there is no tagged traffic between the FGT and the switch. If RCC_LAN is the only L3 interface on the FGT, then I suggest moving the IP configuration, including VRRP, into the Redundant interface config. Or, at the very least, assigning the RCC_LAN interface to the "SW1-SW2" interface. 


config system interface
  edit RCC_LAN
    set interface "SW1-SW2"

Given your use case, I would suggest leveraging FortiGate HA with SD-WAN to satisfy your requirements.


With FortiGates in HA, you only have one configuration to manage. With SD-WAN you can put both your WAN interfaces (and GRE tunnels) into SD-WAN interface and do your load balancing/failover using SD-WAN. There would be no duplication of multicast traffic as there is only one logical device on the network.


View solution in original post


HA a-p (and a-a) both do configuration sync. So you cannot have different configurations between the firewalls.


View solution in original post


HA a-p (and a-a) both do configuration sync. So you cannot have different configurations between the firewalls.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors