Skip to main content
AdiMizil
AdiMizil
New Member
February 12, 2020
Solved

Change virtual MAC on WAN 1 in a HA Cluster

  • February 12, 2020
  • 1 reply
  • 6040 views

HI Everyone, 

 

I have a pair of 80E running in HA cluster with Dual ISP and SD-WAN enabled on 6.2.3 for the last 3 weeks.  Since I have enabled HA ,  my WAN1 interface keeps going down and up every couple of minutes. ( it gets DOWN on SD WAN Performance SLA due to packet loss).

 

I have troubleshoot it and it appears that it's not receiving back packets from ISP gateway (not receiving reply on the ARP request for gateway MAC address - L2 issue.

 

I opened and incident at my ISP and after troubleshooting they said the issue is with Fortigate which is using same virtual MAC for all firewalls clusters. Most probably there is another cluster in the same subnet on my WAN ( which is part of a /24)

 

Indeed, if you look at the Virtual MAC formula here : https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=11772&languageId= , unless you change group ID, enable VDOM or virtual cluster will be : 00-09-0f-09-00-00 .  Virtual MAC formula is : 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>

[ul]
  • The second last part of the virtual MAC address depends on the HA group ID and is the same for each cluster interface. The last part of the virtual MAC address is different for each cluster interface.[/ul]

     

    In this case I would like to change "group ID" on each of the cluster members, starting with slave member and the on the master member. 

     

    Q: This change will also change all MAC addresses on all the rest of the interfaces ? Any recommendation ?

     

    Kind regards, 

    Adi

      • Best answer by Johan_Witters

      Hi Adi,

       

      changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

       

      But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

       

      Good luck,

       

      Johan

      1 reply

      Johan_Witters
      Johan_WittersAnswer
      New Member
      February 12, 2020

      Hi Adi,

       

      changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

       

      But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

       

      Good luck,

       

      Johan

      AdiMizil
      AdiMizilAuthor
      New Member
      February 15, 2020

      wittersjohan wrote:

      Hi Adi,

       

      changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

       

      But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

       

      Good luck,

       

      Johan

       

      Hi Johan, 

       

      yes, Changing group ID changed MAC on all interfaces and Windows computers showed that annoying screen to chose from Work, Private, Public network  :(. 

       

      Kind regards, 

      Adi 

      Terms & ConditionsAccessibility statement