Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2071
Views
0
Helpful
3
Replies

Successful ping to VIP but no arp entry? - VRRP

Charchiclofner
Level 1
Level 1

‎10-04-2015 11:57 AM - edited ‎03-08-2019 02:03 AM

Hi,

I'm trying to set up vrrp between a Cisco 800 series ISR and a Fortigate VM firewall. Please see diagram below. Should note this is mainly about the Cisco, not the Fortigate.

I'm having a bit of trouble with the VRRP on the FG. It takes master status but none of my LAN kit can seem to get through it to the internet despite correct policies in place and all working fine for other, non-vrrp, subnets.

Whilst investigating the issue I've noticed something very odd from my Cisco, which is what I want to ask about here. I'll save the rest for the Fortigate forums :)

The priority of the FG is currently higher than the Cisco and, as expected, it has taken over as the master device. Both the cisco and the FG confirm
this with the appropriate show/get commands.

Does anyone have any idea how I could be seeing the below results when running these two commands straight after each other?


RTR-01-VM#ping 192.168.50.3 source 192.168.50.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.50.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
RTR-01-VM#show arp | inc 50.3                  
RTR-01-VM#

 

So you can see I am getting a response from 50.3 (the VRRP VIP) but this IP does not appear in the arp cache at all. Debug output shows that the response arriving at router is definitely coming from the 50.3 address and not the configured interface ip, namely .16

001400: .Oct  4 16:58:29.407 BST: ICMP: echo reply rcvd, src 192.168.50.3, dst 192.168.50.1, topology BASE, dscp 0 topoid 0

 

From the windows laptop I can see all the appropriate mac-addresses in the arp cache but, ironically, I do not get a ping response from 50.3 (but do get a response from 50.16 and can route to the internet without issue if I manually assign 50.16 as the DG for the laptop)

 

I've cleared the arp cache on the laptop as well and the 50.3 comes back so the fortigate is definitely answering arp responses for this address with the correct mac address.

 

Obviously I need to try and figure out why the Fortigate doesn't seem to be passing traffic sent to the vrrp address but I'm curious about this missing arp entry in the Cisco.

I considered briefly that the Cisco (being configured with VRRP) just "knows" the VRRP VIP to mac-address mapping so to test I removed the VRRP config from it entirely, no change.

Anyone have any ideas?

VRRP - FG - Cisco.jpg

Labels:
Preview file
131 KB
0 Helpful
3 Replies 3

Richard Bradfield
Level 6
Level 6

‎10-04-2015 06:27 PM

As a matter of interest what happens if you make the Cisco the master, can you then ping the .3 address from the laptop?

0 Helpful

Charchiclofner
Level 1
Level 1
In response to Richard Bradfield

‎10-05-2015 10:26 AM

Yep, and the response comes from 50.3

0 Helpful

Richard Bradfield
Level 6
Level 6
In response to Charchiclofner

‎10-05-2015 02:40 PM

So it looks like a Fortigate problem, the advertising intervals match on both devices?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card