Hello Guys,
a question: I have two fortinet working in VRRP each fortinet is connected to different switch trunked with lacp. The configuration of two firewall is fine but they are at the same time master . They exchange some messages between them 224.0.0.8 (protocol 112) but nothing they remain master both. I tried to ping from one switch the physical ip address of the other but nothing . From each switch we can see only the virtual IP that is the virtual ip of the local firewall . The switches are trunked well.
I wonder if It is mandatory to use with VRRP proxy-arp configuration because I suspect that arp do not resolve the physical IP of the firewalls connected to the other switch.
Configuration:
switch 1 connected to firewall 1
switch 2 connected to firewall 2
switch 1 and switch 2 trunked
I checked with get info router vrrp of both everything is fine but do not resolve the arbitrage who is master who is slave, probably because they do not see each other due to some arp problem.
What is the role of proxy-arp in vrrp in this case they can work without?
Thanks!!!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 09-27-2022 02:37 PM Edited on 09-27-2022 02:40 PM
OK it looks like RCC_LAN is a VLAN interface. Can you confirm by doing " show full system interface RCC_LAN | grep type".
If so, this VLAN interface needs to be attached to a physical interface, such as the redundant interface.
Can you shed more light on any of the other interfaces on the FortiGate? Is there more L3 interfaces between FGT and SW? What is the nature of the "trunk" interface between the FortiGates? How does it work and how is it connected?
Now, with that said, you probably do not need the VLAN interface unless you need trunking with tagged VLAN access to a downstream switch. Given what I see here there is no tagged traffic between the FGT and the switch. If RCC_LAN is the only L3 interface on the FGT, then I suggest moving the IP configuration, including VRRP, into the Redundant interface config. Or, at the very least, assigning the RCC_LAN interface to the "SW1-SW2" interface.
config system interface
edit RCC_LAN
set interface "SW1-SW2"
end
Given your use case, I would suggest leveraging FortiGate HA with SD-WAN to satisfy your requirements.
With FortiGates in HA, you only have one configuration to manage. With SD-WAN you can put both your WAN interfaces (and GRE tunnels) into SD-WAN interface and do your load balancing/failover using SD-WAN. There would be no duplication of multicast traffic as there is only one logical device on the network.
HA a-p (and a-a) both do configuration sync. So you cannot have different configurations between the firewalls.
HA a-p (and a-a) both do configuration sync. So you cannot have different configurations between the firewalls.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.