Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
knaveenkumar
Staff
Staff

Created on ‎09-25-2025 05:37 AM Edited on ‎10-22-2025 09:40 PM By Community Manager

Article Id 408740

Troubeshooting Tip: WAN port showing as up but not passing traffic on SD-WAN in HA setup

Description This article describes the issue when the WAN port shows as up but is not passing traffic on SD-WAN with HA A-A.
Scope FortiGate.
Solution

Issue: 

The WAN interface is showing as inactive, but the interface status appears up.

 

wan1 is down.png

 

FW01 # diagnose hardware deviceinfo nic
Description Fortinet 90E Ethernet Driver
System_Device_Name wan1
Current_HWaddr 00:09:0f:09:00:00
Permanent_HWaddr 90:6c:ac:c2:0f:42
State up
Link up
PHY Link up
Speed 1000
Duplex full
port: 0
def vid 4095
cur_vid 4095
netdev_running 1
stp: 0
mac_bypass 0
pci_rx 0
Rx_Packets 2881854046
Tx_Packets 1161563070
Rx_Bytes 3145805419908
Tx_Bytes 349280059743

 

Troubleshooting steps: 

  1. When an SD-WAN member is shown as inactive, this is due to a failing health check. A simple way to check if this is failing is by running a sniffer filtered to the server being monitored.
  2. Verify by pinging the WAN1 gateway address to check reachability, or by checking the ARP for the gateway as per the commands below.
  3. Verify the interface status and speed settings.
  4. Check whether bypassing the firewall and connecting the ISP directly to the laptop works fine.
  5. Verify the routing table as below for the monitoring IP address and test with Ping options for reachability: 

 

get router info routing-table details 0.0.0.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
14.98.4.77, via wan1 inactive distance 0
* 47.254.165.49, via wan2 distance 0

 

execute ping-options source 14.98.4.78
execute ping 14.98.4.77
PING 14.98.4.77 (14.98.4.77): 56 data bytes
^C
--- 14.98.4.77 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

IN-BNG1-P-FW01 # get system arp | grep wan1
IN-BNG1-P-FW01 #

 

Run the below command and verify if the default Group ID 0 is in use:

 

get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt1
Group ID: 0   ----> Group ID is 0.
Debug: 0
Cluster Uptime: 32 days 0h:16m:43s
Cluster state change time: 2025-08-28 14:51:10
Primary selected using:

 

If using the default Group ID, there is a chance it could conflict with a different cluster on the same ISP due to the way the Virtual MAC address is calculated: Technical Tip: Changing MAC address on WAN interface for a HA cluster 

 

Below update after configuration change of group ID to 128.

 

FGT201F-2 # get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt2
Group ID: 128 ----> Changed to 128.
Debug: 0
Cluster Uptime: 32 days 0h:20m:23s
Cluster state change time: 2025-08-28 14:55:12
Primary selected using:

 

Once a group ID was configured/added, the last 4 octets of the virtual MAC address were derived from the group ID.

After that, ping to the gateway should resolve.
287
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.