FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Ade_23
Staff
Staff
Article Id 327853
Description

This article describes why 169.254.0.65 and 169.254.0.66 cannot be used and respond to pings on FortiGates in an HA cluster when not in use in the network.

Scope

FortiGate in FGCP Cluster.

Solution

FortiGates in an HA cluster will prevent the use of IPs 169.254.0.65 and 169.254.0.66 but will be able to ping them successfully even if these IPs are not used on the network.

 

The reason for this is that in an HA cluster, where heartbeat interfaces are used to exchange heartbeat packets using layer 2 frames, some layer 3 information also must be exchanged.

 

This includes synchronization traffic, logs, and other locally generated traffic from secondary devices.

 

To achieve this, virtual interfaces called havdlink are created and assigned these IPs, 169.254.0.65 and 169.254.0.66.

 

These interfaces and IPs cannot be seen in the firewall configuration and can only be seen using the following commands:

 

FG-1 # diag ip address list

IP=169.254.0.65->169.254.0.65/255.255.255.192 index=47 devname=havdlink0

IP=169.254.0.66->169.254.0.66/255.255.255.192 index=48 devname=havdlink1

 

FG101F-1 # get router info kernel

tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1)

tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.66/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1)

tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.127/32 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1)

tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/26 pref=169.254.0.66 gwy=0.0.0.0 dev=48(havdlink1)

 

This is the reason why these IPs cannot be used and the same applies to all IPs in the subnet, 169.254.0.0/26.

The FortiGate uses this subnet for HA management and any devices that join an HA cluster are assigned IPs from the range of 169.254.0.1 to 169.254.0.63/26.