Description
When the PPPOE link is connected to a FortiGate HA cluster, sometimes the link will not come up, even if the configuration is correct.
It will only send the Initial Broadcast message (PADI Message) without any response.
Scope
FortiGate.
Solution
The first thing to check, when PPPOE is deployed in the HA cluster, is the order of configuring the PPPOE and HA. Fortinet recommends turning on DHCP or PPPoE addressing for an interface after the cluster has been configured.
If an interface is configured for DHCP or PPPoE, turning on high availability may result in the interface receiving an incorrect address or not being able to connect to the DHCP or PPPoE server correctly. The order will be first to configure the HA and then configuring the PPPOE.
Secondly, even after the PPPOE is configured, there is no response to the broadcast. Check the PPPOE link with a different device.
Example:
Connecting the PPPOE link with a Windows PC or a router to check if the configuration is working or not, if it is working and only if there are issues with the Firewall.
Resolution:
Change the Group ID in the HA configuration and check:
config system ha
set group-id 88
end
group-id value can be in the range <0> to <1023>,
Book a downtime when changing the group ID as it needs to be changed on both units. Start with the Secondary unit, and also have console access as backup.
The most likely root cause is the ISP ignoring the request because the ISP already has a PPPOE client with the same MAC address as the FortiGate. Since FortiGates are configured in an HA cluster, all upstream communication is sent using the Virtual MAC address, which is 00:09:0f:09:00:xx in general cases.
This MAC address can conflict with other HA clusters connected to the PPPOE server and to make it unique, it is necessary to change the HA cluster group ID.
The cluster virtual MAC addresses depend on the cluster group ID (sometimes the group ID is also called the cluster-ID).
The virtual MAC address is determined based on the following formula:
00-09-0f-09-<group-id_hex>-<vcluster_integer><idx> <----- Where <group-id_hex> is the HA group ID for the cluster converted to hexadecimal.
Be informed that the ISP will perform an IP-MAC binding while assigning an IP address for all its PPPoE subscribers.
So, when multiple subscribers (from the perspective of the ISP) are using FortiGate in an HA cluster with a default group ID of zero or the same ID, it results in getting the same Virtual MAC address as explained in the article below and could create a conflict in the ISP environment, while it performs IP-MAC binding.
Related article:
Technical Tip: HA Cluster virtual MAC addresses
Logs:
Reconnect the interface and take simultaneous capture:
execute interface pppoe-reconnect port3
To take the PCAP on the interface, use the following command:
diagnose sniffer packet port3 " " 6 0 a
Also, take the debug:
diagnose debug application ppp -1
diagnose debug application pppoed -1
diagnose debug enable
To disable debug:
diagnose debug disable
Debug output in this scenario:
child_exit()-655: A child process exits
pppoed_main()-865: PID XXXX exit
pppoed_main()-871: Interface portX exit
update_interfaces()-425: Update PPPoE interfaces
update_interfaces()-429: Invalidate PPPoE interface portX
update_interfaces()-483: Found PPPoE interface portX
update_interfaces()-566: PPPoE parameters of portX changed.
pppoed_main()-796: Start PPPoE interface portX
pppoed_main()-799: PID of portX is XXXX
parameters passed to pppd:
pppd 0 pppoed port4 nopersist noipdefault noauth nodefaultroute default-asyncmap hide-password nodetach mtu 1500 mru 1500 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp user 971888889200373045 lcp-echo-interval 5 lcp-echo-failure 3 sync plugin /bin/pppoe.so pppoe_retry_time 10 pppoe_padt_time 10 pppoe_srv_name pppoe_ac_name pppoe_hostuniq 1498a570 pppoe_sock2parent 12 port4 ipunnumbered 0.0.0.0 idle 0 unnumbered-negotiate enable
Related documents:
