05-08-2012 09:32 AM - edited 05-08-2012 09:49 AM
the master/master issue only happens when i use the fortigate firewall as a bypass.
there is also bgp setup between the two routers and one interface is used for crossover.
normally, the backup is fine as a backup and the master is below
current master show vrrp:
Interface State Group VR state VR Mode Timer Type Address
fe-0/2/0.0 up 100 master Active A 0.660 lcl 192.168.0.2
05-08-2012 11:15 AM
It would be good if you could post a diagram of where is the fortigate. If this is between the routers then fw is filtering the vrrp frames. There should be always connectivity throught the vrrp interfaces.
Anyway, you could use the connection between those router as the vrrp primary group. And the other interface will inherit its state. So the backup will become master only if the primary router is down. It dont mind if you dont need vrrp in that interfaces, if this is ethernet of course.
05-08-2012 11:18 AM
we were only testing the fortigate.
the fortigate was between the backup router and the internal switch.
the master was not behind the fortigate so the internal switch goes directly to the master router.
normally the backup router sits the same way and the internal switch goes directly to the backup router as well.
05-08-2012 12:01 PM - edited 05-08-2012 12:06 PM
So, you put the fortigate between the router and the switch, so this in the middle between both routers. This way the fw will filter vrrp.
R-backup ---- FW ---- Switch ----- R-Primary
R-Backup ---- Switch ---- R-Primary
05-08-2012 01:28 PM - edited 05-08-2012 01:50 PM
yes, so you think this scenario would cause the issues i got?
since we were only testing the firewall, we allowed any to any so all traffic should pass through.
05-08-2012 01:58 PM
VRRP is not a routable protocol, and is not the IP protocol so a "ip any any" rule will not allow VRRP, this is the VRRP protocol and should be allowed.
Your fw should be configured in transparent mode, never in routing mode. Should even allow pass through STP traffic or any other Layer2 protocol, like ARP. If not VRRP will not pass through your FW, because VRRP packets cant be routed.
This is why you got both routers as master. Because the FW block any vrrp traffic.
05-08-2012 02:08 PM
it was in transparent mode.
after looking through the different options on the firewall, my guess was either our junipers arent configured 100% properly or the fortinet fortigate firewall just wasnt 100% compatible with the juniper m7i routers.
05-09-2012 03:09 AM
The only compatiblity issue you may have, is that firewall didnt reconize some protocols, and could not configure this to be allowed by the fw. But vrrp is a standard protocol, could not have issues with this.
Anyway, try to configure a ip any any, arp any any, icmp any any, vrrp any any rules, then both router should work properly, you have to be able to telnet, ping from both routers to each other, and vrrp should work. If not, firewall is not transparent.