DescriptionThis article describes the behaviour of the HA “link-failed-signal” which brings all interfaces of a unit if a monitored link is detected as down.
However if the FortiGate HA clusters units are managed through a dedicated network management interface, this interface will not be brought down.
config system ha
set link-failed-signal enable
set ha-mgmt-interface "mgmt"
end
Refer to the High Availability section of the OnLine Help guide.
When a FortiGate HA cluster is operating and a monitored interface fails on the primary unit, the primary unit becomes a subordinate unit and another cluster unit becomes the primary unit.
Normally, after a link failover, the new primary unit sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the cluster.
In some instances switches ignore the GARP packets and continue to reference the MAC address for the port the on the failed FortiGate and will keep sending packets.
You can use the following command to cause a cluster unit with a monitored interface link failure to briefly shut down all of its interfaces (except the heartbeat interfaces and HA mgmt Interface) after the failover occurs:
config system ha
set link-failed-signal enable
end
WorkaroundThis is as designed and there is no workaround.
Disabling “ha-mgmt-status” and “link-failed-signal” will work on the management interface.
Problem VerificationExecute the following command and check output1.
diag debug app hatalk -1
Related Articles
Technical Tip: Updating MAC forwarding tables when an HA link failover occurs
