FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains potential issues that may occur when operating FortiGate clusters in High Availability (HA) mode with third-party Layer-3 switches.
Scope
FortiGate v7.0 and above. Operating in High Availability (HA) mode
Solution
During an HA failover event, the newly elected primary FortiGate unit sends special ARP packets to update the MAC address forwarding tables of directly connected switches.
When using Layer-2 switches: The ARP packets successfully refresh MAC tables, and the switches begin forwarding traffic to the new primary FortiGate without interruption.
When using Layer-3 switches: The Layer-3 forwarding (ARP or routing) tables may not update automatically after the failover. As a result:
The Layer-3 switch continues forwarding packets to the old (now failed) primary unit.
Traffic flow is interrupted.
The cluster may appear non-functional until the Layer-3 switch updates its tables.
Layer-3 switches maintain a cache of IP-to-interface mappings that do not get refreshed by ARP updates alone. These cached entries may persist for a relatively long timeout period, preventing proper redirection of traffic to the new primary FortiGate.
Possible solution:
Manually clear or flush the forwarding (ARP or routing) table on the Layer-3 switch after a failover to force it to learn the new path.
