12-21-2015 02:10 PM - edited 03-08-2019 03:10 AM
Hello.
Validating an scenario that take advantage of the capabilities offered by a Fortigate solution in HA A-A (Active-Active) I´m trying to enable the topology attached (please see diagram in JPG format). As bellow I´m going to explain the issue perceived:
When I try use the Internet connections taking as a uplink connection via the distribuited LACP, the navegation experience for some end users is degraded: HTTP content failed to upload, delay, the local gateway is not reachable via ping, tracert; the experience is like as a loop.
The LACP conformed from the perspective of IOS cisco is correct: LACP conformed and each link member is grouped without any problem.
In contrast I´ve applied this topology using only one Fortigate and the redundancy is obtained (check the second topology).
My perception of this is that the arrange of Cisco stack multilayer switching + the Active-Active connections to the FORTIGATE HA give this bad experience at the instant to try access to the network resources.
Somebody have any idea if is possible have a HA A-A using a CORE multilayer switch in stack format.
Thanks and wait for your point of view.
12-27-2015 11:32 PM
How does the client know which of the two Fortigates to send the traffic to when they are both active/active?
12-29-2015 07:07 AM
Hi.
Well, the cluster from perspective of ARP is seen as one unit; the cluster give an exclusive virtual MAC for purpose of mapping into the ARP table.
Regards,
12-29-2015 10:46 AM
So the two units share a single MAC address? If that is the case, then the switches can only forward client traffic to one firewall at a time, so I don't see how active/active could be working in a scenario that traffic is processing by both of them at the same time. Or have I mis-understood and is only one firewall at a time forwarding traffic?
04-18-2016 01:24 PM
HI. sorry to interrupt. Boths firewalls share a unique mac, but only one unit acts as a master that receives all frames and sends a connection to a secondary unit. From this perspective, all traffic in the first time is processed by the master which sends a given session to a member. Other thing that happens is that the master synchronize it's session table with all member, so in case it fails a new master is elected which sends a gratuitous arp to the switch informating that a new master is reachable through a given port.
04-18-2016 01:30 PM
Hi, sorry to bother you, but i wanna know if you were able to make that work. I have to connect two clustered fg 100d with two stacked cisco 2960. My idea is to create a lacp with ports of both switches connecting to the fg, so in case one switch fails the other can still send traffic through other port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide