FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vsahu
Staff
Staff
Description

 

When the PPPOE link is configured with HA, sometimes the issue that the link will not come up, even if the configuration is correct.

It will only send the Initial Broadcast message (PADI Message) without any response.

 

Scope

 

6.0.x onwards.

 

Solution

 

The first thing to check, when PPPOE is deployed in the HA cluster is the order of configuring the PPPOE and HA, Fortinet recommends to turn on DHCP or PPPoE addressing for an interface after the cluster has been configured.

If an interface is configured for DHCP or PPPoE, turning on high availability may result in the interface receiving an incorrect address or not being able to connect to the DHCP or PPPoE server correctly.

So the order will be first configuring the HA and then configuring the PPPOE.

 

Secondly, even after the PPPOE is configured there is any response to the broadcast, check the PPPOE link with a different device.

 

Example.

connecting the PPPOE link with a windows PC or a router to check if the configuration is working or not, if it is working and only if there are issues with the Firewall.

 

Resolution.

Change the Group ID in the HA configuration and check:

 

# config system ha

    set group-id 88

end


group-id value can be in the range  <0> to <1023>, Take a downtime when changing the group ID as it has been changed on both units and also have console access.

The most likely root cause, the ISP is ignoring the request because the ISP is already has a PPPOE client with the same MAC address as the FortiGate.

Since FortiGateis an HA cluster, all upstream communication is sent using the Virtual MAC address, which is 00:09:0f:09:00:xx in general cases.

This MAC address can conflict with other HA clusters connected to the PPPOE server and to make it unique, it is necessary to change the HA cluster group ID.

 

- The cluster virtual MAC addresses depend on the cluster group ID (sometimes the group ID is also called the cluster-ID).
- The virtual MAC address is determined based on the following formula:


00-09-0f-09-<group-id_hex>-<vcluster_integer><idx> <----- Where <group-id_hex> is the HA group ID for the cluster converted to hexadecimal.


Be informed that the ISP will perform an IP-MAC binding while assigning an IP address for all its PPPoE subscribers.

So, when multiple subscribers (In the perspective of ISP) are using FortiGate in HA cluster with default group ID Zero or Same ID; it results in getting the same Virtual MAC address as explained in the below article and could create a conflict at ISP environment; while it performs IP-MAC binding.

Related article:

https://kb.fortinet.com/kb/documentLink.do?externalID=11772


Logs:


PPPOE Broadcast no response.PNG

- Reconnect the interface and take simultaneous capture:

 

# execute interface pppoe-reconnect port3


- To take the PCAP on the interface, use the below command:


# diag sniffer packet port3 " " 6 0 a


Also, take the debug:

 

# diag debug application ppp -1

# diag debug application pppoed -1

# diag debug enable

 

Debug output in this scenario:

 

child_exit()-655: A child process exits
pppoed_main()-865: PID XXXX exit
pppoed_main()-871: Interface portX exit
update_interfaces()-425: Update PPPoE interfaces
update_interfaces()-429: Invalidate PPPoE interface portX
update_interfaces()-483: Found PPPoE interface portX
update_interfaces()-566: PPPoE parameters of portX changed.
pppoed_main()-796: Start PPPoE interface portX
pppoed_main()-799: PID of portX is XXXX
parameters passed to pppd:
pppd 0 pppoed port4 nopersist noipdefault noauth nodefaultroute default-asyncmap hide-password nodetach mtu 1500 mru 1500 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp user 971888889200373045 lcp-echo-interval 5 lcp-echo-failure 3 sync plugin /bin/pppoe.so pppoe_retry_time 10 pppoe_padt_time 10 pppoe_srv_name pppoe_ac_name pppoe_hostuniq 1498a570 pppoe_sock2parent 12 port4 ipunnumbered 0.0.0.0 idle 0 unnumbered-negotiate enable

 

Related documents:

 

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses


https://docs.fortinet.com/document/fortigate/6.0.0/handbook/495735/pppoe-addressing-mode-on-an-inter...


https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/682734/system-pppoe-interface

Contributors