Description |
This article describes why 169.254.0.65 and 169.254.0.66 cannot be used and respond to pings on FortiGates in an HA cluster when not in use in the network. |
Scope |
FortiGate in FGCP Cluster. |
Solution |
FortiGates in an HA cluster will prevent the use of IPs 169.254.0.65 and 169.254.0.66 but will be able to ping them successfully even if these IPs are not used on the network.
The reason for this is that in an HA cluster, where heartbeat interfaces are used to exchange heartbeat packets using layer 2 frames, some layer 3 information also must be exchanged.
This includes synchronization traffic, logs, and other locally generated traffic from secondary devices.
To achieve this, virtual interfaces called havdlink are created and assigned these IPs, 169.254.0.65 and 169.254.0.66.
These interfaces and IPs cannot be seen in the firewall configuration and can only be seen using the following commands:
FG-1 # diag ip address list IP=169.254.0.65->169.254.0.65/255.255.255.192 index=47 devname=havdlink0 IP=169.254.0.66->169.254.0.66/255.255.255.192 index=48 devname=havdlink1
FG101F-1 # get router info kernel tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.66/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.127/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/26 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1)
This is the reason why these IPs cannot be used and the same applies to all IPs in the subnet, 169.254.0.0/26. The FortiGate uses this subnet for HA management and any devices that join an HA cluster are assigned IPs from the range of 169.254.0.1 to 169.254.0.63/26. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.