Troubleshooting Tip: FortiGate HA link-failed-signal and switching MAC address tables
Description
This article describes the behavior of the HA 'link-failed-signal' error which brings down (briefly shutdown) all interfaces of a unit if a monitored link is detected as down.
If the FortiGate HA clusters units are managed through a dedicated network management interface, the interface will not be brought down.
If the FortiGate HA clusters units are managed through a dedicated network management interface, the interface will not be brought down.
config system ha
set link-failed-signal enable
set ha-mgmt-interface "mgmt"
end
set link-failed-signal enable
set ha-mgmt-interface "mgmt"
end
Scope
Any supported version of FortiGate in HA.
Solution
When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit becomes a subordinate unit and another cluster unit becomes the primary unit.
Normally, after a link failover, the new primary unit sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the cluster.
In some instances, switches ignore the GARP packets and continue to reference the MAC address for the port of the failed FortiGate
and will keep sending packets.
You can use the following command to cause a cluster unit with a monitored interface link failure to briefly shut down all of its interfaces (except the heartbeat interfaces and HA management Interface) after the failover occurs (the switch will detect the failure and will clear the MAC table):
When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit becomes a subordinate unit and another cluster unit becomes the primary unit.
Normally, after a link failover, the new primary unit sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the cluster.
In some instances, switches ignore the GARP packets and continue to reference the MAC address for the port of the failed FortiGate
and will keep sending packets.
You can use the following command to cause a cluster unit with a monitored interface link failure to briefly shut down all of its interfaces (except the heartbeat interfaces and HA management Interface) after the failover occurs (the switch will detect the failure and will clear the MAC table):
config system ha
set link-failed-signal enable
end
Note: When the link-failed-signal is activated, any aggregate interface is exempted or excluded from the "bring down" and "bring up" processes because its status will be updated when a member of the aggregate interface is down or up.
Workaround.
This is as designed and there is no workaround.
Disabling 'ha-mgmt-status' and 'link-failed-signal' will work on the management interface.
Disabling 'ha-mgmt-status' and 'link-failed-signal' will work on the management interface.
Problem Verification
Execute the following command and check output1.
diag debug app hatalk -1
Related article.
Technical Tip: Updating MAC forwarding tables when an HA link failover occurs.