Hot!Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports

Page: 12 > Showing page 1 of 2
Author
KPS
Silver Member
  • Total Posts : 99
  • Scores: 1
  • Reward points: 0
  • Joined: 2017/03/08 05:40:39
  • Status: online
2019/09/12 12:02:29 (permalink) 5.6
0

Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-ports

Hi!
 
I just updated my 200E-Cluster from 5.6.6 to 5.6.9. Now, I have a very strange issue:
 
The unicast-traffic that passes the fortigate is "acting" like broadcast-traffic.
--> The traffic is sent to every switchport
 
If I monitor the traffic on ANY switchport, I see all the unicast-packets, that where routed by the fortigate.
 
If I ping the fortigate from the destination IP, the problem stops instantly.
 
Do you have any idea, what happens there?
For me, the Fortigate seems to "forget" to use the ARP-table for those packets. If I have "incoming" traffic (destination=fortigate), that ARP seems to work fine.
 
The ARP for one test-server:
 
#diagnose ip arp list | grep 10.49.0.48
index=34 ifname=DMZ-HO-Bond 10.49.0.48 00:50:56:89:xx:xx state=00000004 use=369512 confirm=372713 update=368876 ref=4
 
Thank you for your help!
 
KPS
#1

20 Replies Related Threads

    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:10:57 (permalink)
    0
    since you have a cluster are you doing home-runs with wiring ?
    #2
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:14:15 (permalink)
    0
    kubimike
    since you have a cluster are you doing home-runs with wiring ?



    I do not really understand. The cluster is active-passive. Both nodes have one leg in every network.
    #3
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:15:01 (permalink)
    0
    How many switches do you have connected to the fortigate ?
    #4
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:16:37 (permalink)
    0
    kubimike
    How many switches do you have connected to the fortigate ?



    Hi!
    Each Fortigate is connected to two switches as active-passive-bond.
    #5
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:17:35 (permalink)
    0
    Ah thats what I thought. See if this cures your problem report back :)
     
    config system stp
    set switch-priority 0
    end

    #6
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:20:44 (permalink)
    0
    Hi!
     
    But why does this matter? The A/P-bond should not interact with STP - right?
    I am running that unchanged for a year. The only change was the upgrade of FortiOS.
    #7
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:22:02 (permalink)
    0
    The switch is still active with packets getting copied to it. It mattered for me and solved my problem back in the day. If it doesn't solve it just remove it. Worth a try !
     
    Dont forget to report back ! Im curious too . 
    post edited by kubimike - 2019/09/12 12:27:28
    #8
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 12:34:09 (permalink)
    0
    Hi!
     
    Thank you for your help. I will give it a try, tomorrow and report back :-)
     
     
    #9
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 13:40:39 (permalink)
    0
    Hi!
     
    "config system stp" is not available on my 200E with 5.6.9
    Isn't this only available, if bridges are used?
     
    ...and one more question: Wouldn't this lead to the problem, that the fortigate would take over the role as root-bridge?
     
    #10
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 13:59:10 (permalink)
    0
    This applies to spanning tree only. What type of switches do you have what model ? Very odd you don't have that command? Perhaps its because of the age of your OS ? Why do you run such an old release ? The idea here is you want the Fortigate as root.
    #11
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:02:36 (permalink)
    0
    I think, we are talking about different things:
     
    I am not using Fortinet-Switches. I am using Dell and Arista with RSTP enabled.
    The system version of my fortigates is 5.6.9 - not very old, but I am not using them as switches.
    #12
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:05:20 (permalink)
    0
    No we are talking about the same thing so you do have spanning tree turned on for the switches it seems. So yeah you'll need to see why your OS doesn't include the config stp. I've had great success with version 6.0.4 
    #13
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:07:39 (permalink)
    0
    Tomorrow, I will remove one port of the bond to test, if the bond is involved in the problem.
    5.6.6 did not show that behavior...
    #14
    kubimike
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/29 14:02:41
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/12 14:21:27 (permalink)
    0
    Thats a good test. Make sure you don't have any health monitors to trigger a failover. 
    #15
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/09/13 01:44:47 (permalink)
    0
    HI!


    I removed the "redundancy-link", but the problem is still there and very strange.
     
    According to the docs, ARP-Cache should be at least 5 minutes, but that is not the case.
     
    Test:
    Ping "over Fortigate" to ip.
    --> get system arp | grep IP --> Entry exists after ping:
    get system arp | grep 10.49.0.51
    10.49.0.51 0 00:50:56:96:49:b2 DMZ-HO-Bond

     
    61 seconds later, the ARP-entry is away:
    fg200e_HZ_1_1 (root) # get system arp | grep 10.49.0.51


     
     
    Thank you and best wishes
    KPS
    #16
    mjcrevier
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/04/28 18:04:36
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/10/01 15:35:59 (permalink)
    0
    You mentioned this link is a "bond" then also mentioned "redundant link". Do you know which one you're using?
     
    You can check with "diag netlink aggregate list"
     
    How are your switches configured? Are they stacked or using MCLAG? How do you physically have them connected?
     
    Typically, I see unicast flooding in environments where the MAC/ARP timers have been incorrectly configured, or where there is asymmetry. Are you doing any routing on your Arista/Dell switches?
     
     
    #17
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/10/01 23:11:59 (permalink)
    0
    Hi!
     
    I am only using "redundant" interfaces (active-passive) and so, there is no config on the switches for LAGs, etc.
    The switches are not doing any routing.
    #18
    emnoc
    Expert Member
    • Total Posts : 5397
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/10/02 04:25:19 (permalink)
    0
    Why use a redundant link? I never even heard of this, can you show us your interface config? This might be part of the issue and maybe it was or was not going up prior to the upgrade and now you're seeing or noticing it.
     
    I would also check for "local switch mac address table" for mac-addr flapping. I 'm betting the member links are and persistent with the layer2 mac-table of the switch.
     

    PCNSE 
    NSE 
    StrongSwan  
    #19
    KPS
    Silver Member
    • Total Posts : 99
    • Scores: 1
    • Reward points: 0
    • Joined: 2017/03/08 05:40:39
    • Status: online
    Re: Fortigate - ARP-Issues after Upgrade 5.6.6 to 5.6.9 - Unicast flooded to all switch-po 2019/10/02 04:29:29 (permalink)
    0
    Hi!
     
    I am a bit confused. I use redundant interfaces (Type: Redundant Interface) for years to avoid problems, if a switch fails.
     
    I can confirm, that there is no outgoing traffic on the secondary link and that mac-address-tables are stable.
     
    Don't you use redundant interfaces??
     
    ...and the config
        edit "DMZ-HO-Bond"
            set vdom "root"
            set ip 10.49.0.2 255.255.255.0
            set allowaccess ping https ssh snmp http fgfm
            set type redundant
            set explicit-web-proxy enable
            set member "port3" "port4"
            set role lan
            set snmp-index 29
        next

     

     
    post edited by KPS - 2019/10/02 04:31:12
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5