Problem description: In deployments where FortiGate firewalls operate in High Availability (Active–Passive) mode and connect to a Cisco ACI fabric, a common issue can arise during failover events. FortiGate uses a shared Virtual IP (VIP) and Virtual MAC (VMAC) to ensure seamless failover between nodes. Ideally, during a failover, the VMAC should move from the previously active node to the new active node only once.
However, Cisco ACI may interpret the failover differently. ACI tracks endpoints (MAC/IP) and expects them to remain stable. If the same MAC address is observed moving between different ports or leaf switches multiple times within a short time window, ACI may classify it as a rogue endpoint. By default, if several moves occur (for example, 4 within 60 seconds), ACI flags the endpoint as rogue and blocks traffic for up to 30 minutes.
In practice, a single failover can generate multiple observed MAC moves due to several factors. These include a short overlap where both FortiGate nodes may forward traffic, bursts of gratuitous ARP messages, independent endpoint learning across different ACI leaf switches, and in-flight or buffered traffic still arriving at the previously active node. ACI counts each of these observations as a separate move, even if the actual failover occurred only once.
This behavior is not unique to FortiGate. It is inherent to any system that preserves MAC and IP identity across nodes, such as other firewall clusters, load balancers, and virtual machine migrations. The root of the issue lies in a mismatch between deterministic failover design and distributed endpoint learning in the fabric.
Mitigation requires a combination of adjustments on both the Cisco ACI and FortiGate sides. The goal is to either reduce the number of observed MAC moves or make ACI more tolerant to expected behavior.
FortiGate-side:
Stabilize HA behavior: Ensure no unnecessary failovers occur by verifying HA links, heartbeat reliability, and interface consistency. Enable link-failed-signal: This forces the old active unit to bring interfaces down immediately during failover, reducing dual forwarding conditions. Ensure GARP is enabled: Allows fast and consistent endpoint update in the fabric.
config system ha
set link-failed-signal enable
set gratuitous-arps enable
end
Cisco ACI-side:
Adjust Rogue Endpoint Detection: Increase the endpoint move threshold, reduce the hold-down timer to minimize impact. Define Static Endpoints: Configure the FortiGate VMAC as a static endpoint bound to both leaf ports. This prevents dynamic learning and eliminates move detection. Enable Endpoint Move Detection (GARP Detection). Add VMAC to the Rogue Endpoint Exception list.
Summary:
In ACI environments, multiple MAC move events during failover are expected due to distributed learning behavior. The recommended approach is to combine FortiGate HA tuning with ACI policy adjustments. For critical environments, using static endpoints or exception lists provides the most deterministic outcome.
Related documents:
Technical Tip: Setting the number of Gratuitous ARP (GARP) packets sent and their interval by the primary unit Troubleshooting Tip: FortiGate HA link-failed-signal and switching MAC address tables Configure Rogue/COOP Exception List in ACI | 
