Hot!Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports

Author
KPS
Silver Member
  • Total Posts : 91
  • Scores: 1
  • Reward points: 0
  • Joined: 2017/03/08 05:40:39
  • Status: online
2019/09/12 12:02:29 (permalink) 5.6
0

Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports

Hi!
 
I just updated my 200E-Cluster from 5.6.6 to 5.6.9. Now, I have a very strange issue:
 
The unicast-traffic that passes the fortigate is "acting" like broadcast-traffic.
--> The traffic is sent to every switchport
 
If I monitor the traffic on ANY switchport, I see all the unicast-packets, that where routed by the fortigate.
 
If I ping the fortigate from the destination IP, the problem stops instantly.
 
Do you have any idea, what happens there?
For me, the Fortigate seems to "forget" to use the ARP-table for those packets. If I have "incoming" traffic (destination=fortigate), that ARP seems to work fine.
 
The ARP for one test-server:
 
#diagnose ip arp list | grep 10.49.0.48
index=34 ifname=DMZ-HO-Bond 10.49.0.48 00:50:56:89:xx:xx state=00000004 use=369512 confirm=372713 update=368876 ref=4
 
Thank you for your help!
 
KPS
#1

15 Replies Related Threads

    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:10:57 (permalink)
    0
    since you have a cluster are you doing home-runs with wiring ?
    #2
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:14:15 (permalink)
    0
    kubimike
    since you have a cluster are you doing home-runs with wiring ?



    I do not really understand. The cluster is active-passive. Both nodes have one leg in every network.
    #3
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:15:01 (permalink)
    0
    How many switches do you have connected to the fortigate ?
    #4
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:16:37 (permalink)
    0
    kubimike
    How many switches do you have connected to the fortigate ?



    Hi!
    Each Fortigate is connected to two switches as active-passive-bond.
    #5
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:17:35 (permalink)
    0
    Ah thats what I thought. See if this cures your problem report back :)
     
    config system stp
    set switch-priority 0
    end

    #6
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:20:44 (permalink)
    0
    Hi!
     
    But why does this matter? The A/P-bond should not interact with STP - right?
    I am running that unchanged for a year. The only change was the upgrade of FortiOS.
    #7
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:22:02 (permalink)
    0
    The switch is still active with packets getting copied to it. It mattered for me and solved my problem back in the day. If it doesn't solve it just remove it. Worth a try !
     
    Dont forget to report back ! Im curious too . 
    post edited by kubimike - 2019/09/12 12:27:28
    #8
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:34:09 (permalink)
    0
    Hi!
     
    Thank you for your help. I will give it a try, tomorrow and report back :-)
     
     
    #9
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 13:40:39 (permalink)
    0
    Hi!
     
    "config system stp" is not available on my 200E with 5.6.9
    Isn't this only available, if bridges are used?
     
    ...and one more question: Wouldn't this lead to the problem, that the fortigate would take over the role as root-bridge?
     
    #10
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 13:59:10 (permalink)
    0
    This applies to spanning tree only. What type of switches do you have what model ? Very odd you don't have that command? Perhaps its because of the age of your OS ? Why do you run such an old release ? The idea here is you want the Fortigate as root.
    #11
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:02:36 (permalink)
    0
    I think, we are talking about different things:
     
    I am not using Fortinet-Switches. I am using Dell and Arista with RSTP enabled.
    The system version of my fortigates is 5.6.9 - not very old, but I am not using them as switches.
    #12
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:05:20 (permalink)
    0
    No we are talking about the same thing so you do have spanning tree turned on for the switches it seems. So yeah you'll need to see why your OS doesn't include the config stp. I've had great success with version 6.0.4 
    #13
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:07:39 (permalink)
    0
    Tomorrow, I will remove one port of the bond to test, if the bond is involved in the problem.
    5.6.6 did not show that behavior...
    #14
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:21:27 (permalink)
    0
    Thats a good test. Make sure you don't have any health monitors to trigger a failover. 
    #15
    KPS
    Silver Member
    • Total Posts : 91
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/13 01:44:47 (permalink)
    0
    HI!


    I removed the "redundancy-link", but the problem is still there and very strange.
     
    According to the docs, ARP-Cache should be at least 5 minutes, but that is not the case.
     
    Test:
    Ping "over Fortigate" to ip.
    --> get system arp | grep IP --> Entry exists after ping:
    get system arp | grep 10.49.0.51
    10.49.0.51 0 00:50:56:96:49:b2 DMZ-HO-Bond

     
    61 seconds later, the ARP-entry is away:
    fg200e_HZ_1_1 (root) # get system arp | grep 10.49.0.51


     
     
    Thank you and best wishes
    KPS
    #16
    Jump to:
    © 2019 APG vNext Commercial Version 5.5