In our enterprise network, we have configured fortigate firewalls in active-active HA redundancy.
The problem is that it doesn't work. My colleague and I have spent weeks on trying to fix this but nothing seems to work.
Below is the description of what's happening, can someone please provide any helpful input on this?
We have 2 fortigate 60 E firewalls configured in HA mode for active active redundancy. The secondary firewall is supposed to take over when the primary fails.
For testing the redundancy, we have triggered the failover by either rebooting the primary fortigate or by disconnecting WAN cables on the Primary and connecting them on secondary.
On secondary: Users are able to connect to FortiVPN and can reach the direct VLANs on the core switch but cannot connect to networks beyond the core switch.(For eg: Virtual platform, Corporate LAN)
On primary: User is able to connect to FortiVPN and can reach all the networks.
After the failover, The cluster MAC addresses on the Cisco switch are learnt from the secondary unit on the respective interfaces.
However the networks are unreachable beyond the core switch.
When on secondary, on the Fortigate sniffer-
For the working traffic, in the request packet, we see the MAC Address as 0000.0000.0000 as the destination while the source is Fortigate MAC
In the response packet, we see the Cisco MAC as the source but the destination is again 0000.0000.0000.
Still this traffic works.
For the non-working traffic, source, destinations are all 0000.0000.0000. This traffic doesn’t work.
The fortigate TAC engineers weren't able to provide any advice either.
No comments:
Post a Comment