Fortigate 100D Firewalls and HSRP

hsrpvmware

First, please see the attached network diagram to see what I am trying to do.

enter image description here

On the 2 distribution switches, we run HSRP and have one Fortigate going to SW1 and the other going to SW2.

Then we have vmware esx hosts with connections to each of the fortigates. The fortigates are configured in an active-active ha config as are the vmware vswitches.

Now for some reason, when we disconnect the cable from the monitored wan1 port on either of the fortigates, the ip assigned the a vm on either of the esx hosts fails to be reachable however the ip assigned to the fortigates is reachable just fine. For some reason, traffic isn't being passed through the fortigates.

However, if you look at this diagram, the vm ip is reachable just fine when the devices failover.

enter image description here

I've tried setting different interface tracking options in hsrp and tried using "ip sla" as well to no avail.

Am I missing something somewhere either on the fortigates or on the distro switches?

Best Answer

Let me preface this by saying that I have not used Fortigate, but speaking generally.

You should have two links from each firewall (FW ), one to each switch (SW), just as you have a link from each FW to each server (SRV).

This is what I suspect is happening. Assuming SW1 is the HSRP active interface, it initially receives traffic from SRV2 on the link to SW2 and creates an entry in the MAC and ARP tables. When the link between SW2 and FW2 goes down, SW2 removes the entries for that interface from it's tables, but SW1 doesn't know the link is down and maintains it's entries.

When traffic comes in to SW1 for SRV2, it looks up the ARP/MAC information and sends the traffic to SW2. SW2 doesn't have an entry for SRV2 anymore, and floods it out all ports except the one it received the traffic on (normal switch operations). This results in the traffic never reaching SRV2 as none of the other links on SW2 provide a path to SRV2.

With the second link the traffic between FWs and SWs, the flooded traffic would then be received at FW1 and be able to get to SRV2.

If you have outbound traffic from SRV2 after the link goes down, or you clear the MAC entries on SW1, I suspect that this would work as well.

Related Solutions

PIM-SM multicast and HSRP/VRRP

PIM messages are not sourced from HSRP VIP's so the RPF check fails since the HSRP VIP is your RPF neighbor. There are two ways around this though.

Set up a dynamic routing protocol between your router and the other sides routers so HSRP is not needed.
Configure static mroutes to the other sides actual interface IP's such as:

ip mroute 0.0.0.0 0.0.0.0 1.1.1.1

Nat – HSRP and Static NAT behavior

I have found the issue.

The problem was my testing procedure. I simulated the http connection using telnet to http port but I did not generate any traffic(requests). I repeated the tests using GET requests and the nat session table was replicated almost instant.

I post the debug messages.

The NAT replication trigger is the next segment, request in the tcp session.

Debug messages

Telnet from client

telnet 10.31.73.12 3099 
*Nov  7 03:52:17.071: TCBB2701B60 connected to 10.31.73.12.3099
GET / HTTP/1.0
GET / HTTP/1.0
GET / HTTP/1.0

New active

Becomes Active at 03:52:32,34

NATGW2#
*Nov  7 03:52:32.700: %HSRP-5-STATECHANGE: Ethernet0/2 Grp 100 state Standby -> Active
NATGW2#
*Nov  7 03:52:32.701:  IP-ADDR: ipaddr_table_insert_w_tableid() 10.31.71.254, in global table on Ethernet0/2
NATGW2#
*Nov  7 03:52:34.657: %HSRP-5-STATECHANGE: Ethernet0/1 Grp 200 state Standby -> Active

new Active listens for ARP requests for the HSRP IP

*Nov  7 03:52:34.658:  IP-ADDR: ipaddr_table_insert_w_tableid() 192.168.153.253, in global table on Ethernet0/1

The nat session is recreated on the new Active.

*Nov  7 03:52:34.745: NAT: API parameters passed: src_addr:10.31.71.3, src_port:0 dest_addr:10.31.73.12, dest_port:0, proto:6 if_input:Ethernet0/2 pak:B072F0A8 get_translated:1
*Nov  7 03:52:34.745: ipnat_api_translated_address_and_port_common, out->in want IL,OL
*Nov  7 03:52:34.745: NAT: API Translated-Info(1): (src-addr:10.31.71.3, src-port:0) (dest-addr:192.168.153.12, dest-port:0)

Best Answer

Related Solutions

PIM-SM multicast and HSRP/VRRP

Nat – HSRP and Static NAT behavior

Related Topic