Skip to main content
volkerdose
volkerdose
New Member
December 5, 2024
Question

FortiADC on VMware ESXi - Virtual MAC address and Switchports

  • December 5, 2024
  • 2 replies
  • 1624 views

Hi guys,

 

I am running a HA-AP cluster of two FortADC nodes (7.4.5) on a Vmware Cluster (Version 8).

 

The NIC configuration for all VLANs allows promiscuous mode, MAC address change and forged MACs.

 

 

 

I have these interfaces configured:

 

port1 - Management

port2 - [ empty - no VLAN]

port3 - LAN

port4 - Heartbeat/Data Port

port5 - DMZ2

 

When switching between nodes (reboot the active machine) the IP on port 5 was no longer pingable on the second FortiADC. I rebooted again and got answers from port5.

 

I was able to ping the LAN-IP on port3 and the heartbeat also worked !!

 

Then I checked the interfaces in vsphere client and port 1 to port4 look like this:

 

Active Maschine: Port unblocked, Mac is 00:09:0f:... (the virtual MAC)

Passive Maschine: Port unblocked: Mac is 00:50:56 (the "physical" MAC)

 

When the cluster nodes are switched the virtual MAC switches to the then active node.

 

But in the VLAN DMZ2 (assigned to port5) the ports look like this:

 

Active Maschine: Port blocked, Mac is 00:50:56... (the physical MAC)

Passive Maschine: Port blocked, Mac is 00:50:56 (the physical MAC)

 

I checked the ARP entry on my Firewall (yes, IP on port5 points to the virtual MAC).

 

While I tried to find out what is happening there I did a lot of reboots and at some point I was not able to ping the IP on port5 at any machine. What helped was to vmotion the FortiADC ... port5 answered pings 

 

I finally added a IP/VLAN to port 2 - and suddenly the port 5 on both FortiADC worked - switched back and forth - no problem...

 

But still: the ports in vsphere still show a very different picture for port5 - port blocked and no  sign of the virtual MAC-address. In reality the virtual MAC is running on the active node and the FortADC works fine

 

Has anyone any idea why this is happening?

 

Best regards

Volker

 

 

 

 

2 replies

sjoshi
Staff
sjoshi
Staff
December 5, 2024

Hi,

 

It seems like there might be an issue with the VMware cluster configuration causing the port5 on the FortiADC nodes to not properly switch between active and passive states during failover. Adding an IP/vlan to port2 might have triggered a refresh or reconfiguration that resolved the issue temporarily. It's recommended to ensure that the VMware cluster settings for promiscuous mode, MAC address change, and forged MACs are correctly configured for all interfaces, and to investigate any potential network or configuration issues that could be affecting the failover behavior of port5 on the FortiADC nodes.

Thanks, Salon
volkerdose
volkerdoseAuthor
New Member
December 5, 2024

Hi,

 

thank you very much for your reply. My colleague confirmed, that the settings for the port5 are exactly the same as for the other vlans - I do agree to your statement, that there must be a problem in the vmware config, but we were not abel to find any pattern when we compared the settings.

 

Best regards

Volker 

volkerdose
volkerdoseAuthor
New Member
December 9, 2024

Hi,

 

I am still not sure what the reason for this strange issue is. 

But I have a suspicion....

The FortiADC Cluster is in the same network segmnet as my Fortigate Cluster.

 

Only while troubelshooting the issue I  changed the GroupID for the FortADC-Cluster.

I know, that 2 Fortigate Cluster in the same network need different Group-IDs  - is this also the case for a setup with one FortiADC Cluster and one Fortgate Cluster?

Best regards

Volker

Terms & ConditionsAccessibility statement