VRRP high availability

A Virtual Router Redundancy Protocol (VRRP) configuration can be used as a high availability solution to make sure that a network maintains connectivity with the internet (or with other networks) even if the default router for the network fails. Using VRRP, if a router or a FortiGate fails, all traffic to this router transparently fails over to another router or FortiGate that takes over the role of the router or FortiGate that failed. If the failed router or FortiGate is restored, it will once again take over processing traffic for the network. VRRP is described by RFC 3768.

FortiOS supports IPv4 VRRP versions 2 and 3 and you can set up VRRP domains that include multiple FortiGates and other VRRP-compatible routers. You can add different FortiGate models to the same VRRP domain. FortiOS supports IPv4 VRRP and you can add IPv4 VRRP virtual routers to the same interface. FortiGates can also be quickly and easily integrated into a network that has already deployed a group of routers using VRRP.

Example VRRP configuration

The most common application of VRRP is to provide redundant default routers between an internal network and the internet. The default routers can be FortiGates and or any routers that support VRRP.

To set up VRRP:

  1. Add a virtual VRRP router to the internal interface of each of the FortiGates and routers. This adds the FortiGates and routers to the same VRRP domain.
  2. Set the VRRP IP address of the domain to the internal network default gateway IP address.
  3. Give one of the VRRP domain members the highest priority so it becomes the primary (or master) router and give the others lower priorities so they become backup routers.

During normal operations, all traffic from the internal network to the internet passes through the primary VRRP router. The primary router also sends VRRP advertisement messages to the backup routers. A backup router will not attempt to become a primary router while receiving these messages. If the primary router fails, the backup router with the highest priority becomes the new primary router after a short delay. During this delay the new primary router sends gratuitous ARP packets to the network to map the network's default route IP address to the new primary router's MAC address. All packets sent to the default route are now sent the new primary router. If the new primary router is a FortiGate, the network continues to benefit from FortiOS security features. If the new primary router is just a router, traffic continues to flow, but FortiOS security features are unavailable until the FortiGate is back on line.

If the backup router is a FortiGate, during a VRRP failover, as the FortiGate begins operating as the new primary router it will not have session information for all of the failed over in-progress sessions. So it would normally not be able to forward in-progress session traffic. To resolve this problem, immediately after a failover and for a short time (called the start time) the FortiGate acting as the new primary router operates with asymmetric routing enabled. This allows it to recreate in-progress UDP and ICMP sessions, and add them to its session table. In-progress TCP sessions can also be recreated and added to the session table if SYN flag checking is disabled (see Enable creation of TCP session on the firewall without checking for a SYN packet in the Fortinet Knowledge Base.

While operating with asymmetric routing enabled, the FortiGate cannot apply security functions. When the start-time ends the FortiGate disables asymmetric routing and returns to normal operation (including applying security functions).