Visitor III

Question

MAC flapping Arista and Fortigate Mgmt interface

Forum|Forum|27 days ago
May 20, 2026
4 replies
108 views

I have configured the following in a new Active-Passive setup

Unit A (setup as Active 120 HA) - mgmt IP address 10.1.1.5/24 (set management ip and dedicated-management)

Unit B (setup as Passive 115 HA) - Mgmt IP address 10.1.1.6/24(set management ip and dedicated-management)

HA on both

group ID 1

tracking port2

“port2” configured on both units as IP address 10.1.1.10/24

Both units are only pingable sometimes, MAC flapping messages appear every 5 seconds on both Arista switches setup as a MLAG

Both units have the same virtual MAC address (get hardware nic mgmt) other units I have setup exactly the same a-p, have different mgmt MAC’s between A and B!

If I remove the group-id from Unit B, everything works, both units pingable and accessible. When I add the group-id back into Unit B, problem persists. I have even changed the group-id on both from 1 to 256, same problem.

How can this be, I have checked pretty much everything but obviously there is sometime I am missing? Thanks all for any input here.

AEK

SuperUser

It seems you mgmt interface is also managed by the cluster.

Can you share mgmt interface config (CLI) and HA config from both nodes?

AEK

msanjaypadma

Staff

Hi @canoas ,

Since you mentioned that “both units have the same vMAC for the MGMT interface,” could you please share the logs for further to check?

As far as I understand, If you don’t use Out-of-Band (OOB) management interface under High Availability (HA) settings, Unit A's MGMT1 should display its vMAC address, while Unit B's MGMT1 should show only physical MAC address.

If you are using Out-of-Band Management, please note that “the MAC address of a reserved management interface does not change to a VMAC address; it retains its original MAC address.”

Reference article : https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/564710

Topology? Configuration from both unit ? and output from both unit for below command

show sys interface mgmt
show sys ha
get hardware nic mgmt
diagnose sys ha mac
get sys arp

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

Thanks,
Mayur Padma

Thanks, Mayur Padma

canoasAuthor

Visitor III

Hi Mayur, thanks for your reply. Late yesterday I could see there were zero HA packets between cluster members and both were Active “diag sys ha”. Upon further investigation, I could see HA ports were connected to another new cluster in error (LLDP). Cabling will be changed this weekend to insert HA ports directly connected to the correct cluster members. I will send an update.

msanjaypadma

Staff

Hi @canoas ,

Sure !, this is split-brain scenario.

Thank,

Mayur Padma

Thanks, Mayur Padma

canoasAuthor

Visitor III

Yes, cabling rectified between HA ports, this resolved the issue. MAC flapping has gone. I have another question though.

Configured the mgmt ports in both as dedicated mgmt interface so units share the same IP address and I used port2 for HA config, each unit with their own IP address. Is this good practice, i.e use the dedicated mgmt for HTTPS, SSH, fortiguard etc, so inband and OOB, right? I am still very confused which setup should be used but as I understand the mgmt sits on the CPU and is excluded from data plane and that the HA manage should be port2 which sits on the data plane. Anyone have opinions and what this should be!!! Thanks everyone. ….BTW I haven’t used the mgmt interface as with the hidden mgmt vdom I think dedicated mgmt interface cmd, separate from dedicated ip-mgmt cmd.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded