Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎01-02-2021 10:11 AM Edited on ‎10-24-2024 09:30 PM By Community Manager

Article Id 189577

Technical Tip: A conflict HA virtual MAC address in the different HA cluster

Description


This article describes how to fix a conflict HA virtual MAC address issue when there is more than one HA cluster in the system and how to configure and use more than one HA cluster in the same network environment.

 

Scope

 

FortiGate.


Solution


When there is more than one HA cluster operating in the same network, it may happen that one FortiGate may not be able to join the expected HA, or it shares the same HA virtual MAC addresses used in the existing HA cluster. This may cause the conflict MAC address issue in the system.

 

Note:

Due to different reasons, operating multiple HA clusters under the same Security fabric also requires unique HA group-ids, even if they don't reside on the same network.


Example: 
There are FortiGates A, B, C, and D.
FortiGate A and B joined as HA1 (A is Active)
FortiGate C and D joined as HA2 (C is Active)
The problem that occurs is that units A and C from different HA groups have the same virtual  MAC address.
To fix this issue, consider changing the group ID of HA1 and HA2 to be different by using the following CLI commands.

 

Note:

Start with the passive units (B and D). Changing the group-id will cause the cluster to disconnect.

So the connection to these units will be lost until the group-ID is also changed in the active units A and C. 

 

At HA1 FortiGate (repeat for HA2, and use a different value):

 

config system ha
    set group-id  XX          <----- ( XX is an integer value from 0-255).
end

 

At HA1 FortiGate with VDOM setting (repeat for HA2, and use a different value).

 

config global
config system ha
    set group-id  XX          <----- ( XX is an integer value from 0-255).
end
end

 

For example:

 

HA1’s group-id = 10
HA2’s group-id = 20

 

In FortiOS version 7.6.0 or later, the following methods are available to assign VMAC addresses to interfaces.

 

  1. Manual assignment.
  2. Automatic assignment based on MAC address.
  3. Automatic assignment based on vcluster ID, group ID, and physical index

With these options, it is possible to ensure a unique MAC address, which helps prevent MAC address conflicts that can occur when two clusters operate on the same network with the same group ID.

Refer to the below link for further description:

Cluster virtual MAC addresses 

 

Note:
To confirm that the MAC address has changed the below CLI command can be used:

 

In non-VDOM mode.

 

get hardware nic <if_name> | grep Hwaddr

 

In VDOM mode.

 

conf global
get hardware nic <if_name> | grep Hwaddr

The physical MAC address and Virtual MAC address of all interfaces on both active and passive units can be checked using the command 'diagnose sys ha mac':

 

FGT_1 # diagnose sys ha mac

HA mac msg
serial#=FGXXXXXXXXXXXX Primary
prio=0, phy_index= 0, itf_name= port1, mac=00.0c.29.18.9e.69, vmac=00.09.0f.09.15.00, linkfail=0
prio=0, phy_index= 1, itf_name= port2, mac=00.0c.29.18.9e.73, vmac=00.09.0f.09.15.01, linkfail=0
prio=0, phy_index= 2, itf_name= port3, mac=00.0c.29.18.9e.7d, vmac=00.09.0f.09.15.02, linkfail=0
prio=0, phy_index= 3, itf_name= port4, mac=00.0c.29.18.9e.87, vmac=00.09.0f.09.15.03, linkfail=0
prio=0, phy_index= 4, itf_name= port5, mac=00.0c.29.18.9e.91, vmac=00.09.0f.09.15.04, linkfail=0
prio=0, phy_index= 5, itf_name= port6, mac=00.0c.29.18.9e.9b, vmac=00.09.0f.09.15.05, linkfail=0
prio=0, phy_index= 6, itf_name= port7, mac=00.0c.29.18.9e.a5, vmac=00.09.0f.09.15.06, linkfail=0
prio=0, phy_index= 7, itf_name= port8, mac=00.0c.29.18.9e.af, vmac=00.09.0f.09.15.07, linkfail=0
prio=0, phy_index= 8, itf_name= port9, mac=00.0c.29.18.9e.b9, vmac=00.09.0f.09.15.08, linkfail=0
prio=0, phy_index= 9, itf_name=port10, mac=00.0c.29.18.9e.c3, vmac=00.09.0f.09.15.09, linkfail=0

serial#=FGXXXXXXXXXXXX Secondary
prio=1, phy_index= 0, itf_name= mgmt, mac=e8.1c.aa.aa.80.7f, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 1, itf_name= ha, mac=e8.1c.aa.aa.80.7e, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 2, itf_name= wan1, mac=e8.1c.aa.aa.80.8a, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 3, itf_name= wan2, mac=e8.1c.aa.aa.80.8b, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 4, itf_name= port1, mac=e8.1c.aa.aa.80.8c, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 5, itf_name= port2, mac=e8.1c.aa.aa.80.8d, vmac=--.--.--.--.--.--, linkfail=0
prio=1, phy_index= 6, itf_name= port3, mac=e8.1c.aa.aa.80.8e, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 7, itf_name= port4, mac=e8.1c.aa.aa.80.8f, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 8, itf_name= port5, mac=e8.1c.aa.aa.80.90, vmac=--.--.--.--.--.--, linkfail=1
prio=1, phy_index= 9, itf_name= port6, mac=e8.1c.aa.aa.80.91, vmac=--.--.--.--.--.--, linkfail=1

 

Related article:

Technical Tip: How to find the interface's MAC address 

Labels:
22615
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.