Technical Tip: HA Failover issues with layer-3 switches

During an HA failover event, the newly elected primary FortiGate unit sends special ARP packets to update the MAC address forwarding tables of directly connected switches.

When using Layer-2 switches:
The ARP packets successfully refresh MAC tables, and the switches begin forwarding traffic to the new primary FortiGate without interruption.

When using Layer-3 switches:
The Layer-3 forwarding (ARP or routing) tables may not update automatically after the failover.
As a result:

• The Layer-3 switch continues forwarding packets to the old (now failed) primary unit.

• Traffic flow is interrupted.

• The cluster may appear non-functional until the Layer-3 switch updates its tables.

Layer-3 switches maintain a cache of IP-to-interface mappings that do not get refreshed by ARP updates alone.
These cached entries may persist for a relatively long timeout period, preventing proper redirection of traffic to the new primary FortiGate.

Possible solution:

Manually clear or flush the forwarding (ARP or routing) table on the Layer-3 switch after a failover to force it to learn the new path.

Note: For the failure signal, enable the following command:

config system ha
    set link-failed-signal enable
end

Related article:

Troubleshooting Tip: FortiGate HA link-failed-signal and switching MAC address tables