Active/Active deployment outbound via ILB doesn't work (with fix)
Closed this issue · 1 comments
By default, the FortiGate active/active model (with ELB/ILB) doesn't allow routing outbound when directed via the ILB.
Tests to the port from other VMs respond OK, but the ILB shows health probes as down.
Sniffers on the FortiGates themselves show traffic coming in, but no response being sent from the Azure IP used by Load balancers.
Fix found with FortiNet support was to disable the "dhcp-classless-route-addition" setting on both ports of the FortiGate.
As soon as this was applied, the health probes on the ILB showed as healthy, and (proving a policy allowed the traffic in the FortiGate) outbound traffic from the backend could flow via the ILB.
Could this change be added to the template please? Hopefully it'll save others using this the headache I've been through!
Hi,
Thanks for opening this issue. We are aware of this change in more recent versions of FortiGate.
We have just published a new version of the A/A deployment which supports up to 8 VMs (more VMs can be deployed but they are not automatically configured) instead of the A/A 2 VM setup. This new setup uses static IPs instead of DHCP so we can configure clustering between the different units.
Regards,
Joeri