Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11002
Views
0
Helpful
5
Replies

Connecting fortigate to Cisco Core

Go to solution
Chris McCann
Level 1
Level 1

‎09-13-2021 08:21 AM

HI,

I have a problem, we have a failover fortigate FW pair both linking to a single switch which then has a trunk connecting to our core switch.

If I remove the single switch and run the pair of cables from the fortigate into the core then the FW fails and the ports on the core do not come up. I have the ports on the core configured as access ports.

The switch being removed has almost no config on it. the interfaces to the FW are access vlan 4, back to the core the interface is trunk.

Here is the config from the core switch.

Trunk port that links to the switch I want to remove.

 

interface GigabitEthernet2/29
description Primary-InsideFirewall
switchport
switchport mode trunk
spanning-tree portfast edge
end

 

interface Vlan4
description Firewall VLAN
ip address 192.168.1.1 255.255.255.0
ip pim sparse-mode
end

 

 

I have configure the two new ports as below,

GI2/30

description Primary-InsideFirewall

switchport

switchport mode access vlan 4

spanning-tree portfast edge

end

 

Gi1/30

description Secondary-InsideFirewall

switchport

switchport mode access vlan 4

spanning-tree portfast edge

end

 

But as mentioned when patching direct into the core switch the ports fail to come up.

 

I got this from the CISCO log.

.Sep 10 07:10:08: %PIM-5-NBRCHG: neighbor 192.168.1.2 DOWN on interface Vlan4 DR
.Sep 10 07:10:08: %PIM-5-DRCHG: DR change from neighbor 192.168.1.2 to 192.168.1.1 on interface Vlan4
.Sep 10 07:16:20: %PIM-5-NBRCHG: neighbor 192.168.1.2 UP on interface Vlan4
.Sep 10 07:16:20: %PIM-5-DRCHG: DR change from neighbor 192.168.1.1 to 192.168.1.2 on interface Vlan4

 

192.168.1.2 is the firewall virtual IP, 

192.168.1.1 is the core SVI interface for that particular vlan. The second part in bold is when I patched the orginal single switch back in and the FW comes back up.

 

I know very little about IP PIM. However from my understand since the firewall and core SVI are in the same vlan this should make no difference.

 

Any advise welcome!

 

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chris McCann
Level 1
Level 1
In response to Georg Pauwen

‎09-14-2021 12:43 AM - edited ‎09-14-2021 12:45 AM

Slightly concerned about doing this as we also have some servers in the same vlan which may be effected. I was also thinking that the SVI shouldnt really come into play as all the interfaces involved are in the same vlan.

 

This is a live enviroment so I cant go playing around too much. I have to plan the work and do out of hours.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎09-13-2021 11:35 AM

Hi,

A couple of questions:

Are the firewalls clustered?

Are the core switches stacked?

It appears that when you move the connections from a single switch to the core switches, the core switches don't see the firewall as one unit (clustered or aggregated).

HTH

0 Helpful

Go to solution
Chris McCann
Level 1
Level 1
In response to Reza Sharifi

‎09-14-2021 12:41 AM

The firewall is a failover pair, active/passive.

 

The core switch is a single unit 6509 with multiple blades. 

 

It appears that when you move the connections from a single switch to the core switches, the core switches don't see the firewall as one unit (clustered or aggregated).

Yeah I agree, I though perhaps there was some some of signalling between the two firewall interfaces that was being blocked by the core switch but I dont see what or how.

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to Chris McCann

‎09-14-2021 07:08 AM

The core switch is a single unit 6509 with multiple blades. 

Ok, so, the core switch is only one. So, we don't need to worry about any switch clustering, aggregation, etc. It may be an STP issue. Can you check the VTP status and make sure it is turned off or it is in transparent mode? 

Also, can you make sure that the switch is the root bridge for all vlans?

Since the switch is in production, you would need to make any of these changes during off-hours.

HTH

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎09-13-2021 01:03 PM

Hello,

 

what happens when you disable PIM altogether on the SVI ?

 

interface Vlan4
description Firewall VLAN
ip address 192.168.1.1 255.255.255.0
--> no ip pim sparse-mode
end

0 Helpful

Go to solution
Chris McCann
Level 1
Level 1
In response to Georg Pauwen

‎09-14-2021 12:43 AM - edited ‎09-14-2021 12:45 AM

Slightly concerned about doing this as we also have some servers in the same vlan which may be effected. I was also thinking that the SVI shouldnt really come into play as all the interfaces involved are in the same vlan.

 

This is a live enviroment so I cant go playing around too much. I have to plan the work and do out of hours.

0 Helpful
Customers Also Viewed These Support Documents