HPE FlexFabric IRF with Fortigate HA - OSPF and VPN-instances

An HPE comware 7 switches, in IRF mode, connected to Fortigate 600D in HA active/passive mode.

Crossed links between the devices in order to prevent device failure/HA failure situation.

In my first attempt I assumed that since the HPE switches using IRF I should handle them as single device, while connecting them to the Fortigate HA, I’ve connected all 4 ports, from the switches, in one bridge-aggregation group. This configuration led to partial packet loss since all 4 ports, in the link-aggregation group were up and running (Fortigate ports are all up although it’s an HA configuration).

Configuring the Fortigate with 2 ports (port17 and port18) in aggregation mode running all VLAN sub-interfaces while the HPE switches configure with 2 bridge-aggregation interfaces, one for each switch has solved the problem.

Next there was the VPN-instance (VRF lite in Cisco terms) issue, on the switches I’ve configured 5 VPN-instances and one OSPF process per VPN-instance between the Fortigate and the switches. The Fortigate advertised default route (under Router->Dynamic->Advanced) in always mode. In the switches I didn’t manage to see the default route in neither VPN-instance. The problem solved after issuing the command: vpn-instance-capability simple under the VPN-instance sub-command.

Reference: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0117608

This is the network topology:

 HPE FlexFabric switch (relevant) configuration:

ip vpn-instance TEST1  route-distinguisher 1:10 # ip vpn-instance TEST2  route-distinguisher 1:20 # ip vpn-instance TEST3  route-distinguisher 1:30 # ip vpn-instance TEST4  route-distinguisher 1:40 # ip vpn-instance TEST5  route-distinguisher 1:50 # irf domain 1   irf mac-address persistent timer  irf auto-update enable  irf link-delay 200  irf member 1 priority 32  irf member 2 priority 31  irf member 1 description IRF_UNIT1  irf member 2 description IRF_UNIT2  irf mode normal #  irf-port global load-sharing mode destination-ip source-ip # ospf 10 router-id 1.1.1.10 vpn-instance TEST1  vpn-instance-capability simple  area 0.0.0.10   network 0.0.0.0 255.255.255.255 # ospf 20 router-id 1.1.1.20 vpn-instance TEST2  vpn-instance-capability simple  area 0.0.0.20   network 0.0.0.0 255.255.255.255 # ospf 30 router-id 1.1.1.30 vpn-instance TEST3  vpn-instance-capability simple  area 0.0.0.30   network 0.0.0.0 255.255.255.255 # ospf 40 router-id 1.1.1.40 vpn-instance TEST4  vpn-instance-capability simple  area 0.0.0.40   network 0.0.0.0 255.255.255.255 # ospf 50 router-id 1.1.1.50 vpn-instance TEST5  vpn-instance-capability simple  area 0.0.0.50   network 0.0.0.0 255.255.255.255 #