Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
knaveenkumar
Staff
Staff

Created on ‎09-25-2025 05:37 AM Edited on ‎09-25-2025 05:39 AM By Moderator

Article Id 408740

Troubeshooting Tip: WAN1 ISP port showing as up but not passing traffic on SD-WAN in HA setup

Description This article describes the issue when the WAN1 ISP port shows as up but is not passing traffic on SD-WAN with HA A-A.
Scope FortiGate.
Solution

Issue: 

Wan1 is showing as inactive, but the interface status appears up.

 

wan1 is down.png

 

FW01 # diagnose hardware deviceinfo nic
Description Fortinet 90E Ethernet Driver
System_Device_Name wan1
Current_HWaddr 00:09:0f:09:00:00
Permanent_HWaddr 90:6c:ac:c2:0f:42
State up
Link up
PHY Link up
Speed 1000
Duplex full
port: 0
def vid 4095
cur_vid 4095
netdev_running 1
stp: 0
mac_bypass 0
pci_rx 0
Rx_Packets 2881854046
Tx_Packets 1161563070
Rx_Bytes 3145805419908
Tx_Bytes 349280059743

 

Troubleshooting steps: 

  1. Verify by pinging the WAN1 gateway address to check reachability.
  2. Verify the interface status and speed settings.
  3. The next step is to check whether bypassing the firewall and connecting the ISP directly to the laptop works fine.
  4. Verify the routing table as below for the monitoring IP address and test with Ping options for reachability: 

 

get router info routing-table details 0.0.0.0

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
14.98.4.77, via wan1 inactive distance 0
* 47.254.165.49, via wan2 distance 0

 

execute ping-options source 14.98.4.78
execute ping 14.98.4.77
PING 14.98.4.77 (14.98.4.77): 56 data bytes
^C
--- 14.98.4.77 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

IN-BNG1-P-FW01 # get system arp | grep wan1
IN-BNG1-P-FW01 #

 

  1. Capture HA talk debug and sniffer output to verify the Group ID and through the sniffer for the MAC source address as below:

     

diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application hatalk -1 
diagnose debug application hasync -1 

Sniffer: 

 

diagnose sniffer packet <interface> <'filter'> 6 0 a

 

Example: 00:09:0f:09:00:00.

This is a virtual MAC address, where the last 4 octets are 00:00 since the group ID is set to 0 (default behavior). Because of this, ARP replies were not being received.

 

Also, run the below command and check the update below for what is using the Group ID: 0.

 

get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt1
Group ID: 0   ----> Group ID is 0.
Debug: 0
Cluster Uptime: 32 days 0h:16m:43s
Cluster state change time: 2025-08-28 14:51:10
Primary selected using:

 

To resolve this, configure a group ID. The last 4 octets of the virtual MAC address are derived from the group ID.

 

Below update after configuration change of group ID to 128.

 

FGT201F-2 # get system ha status
HA Health Status: OK
Model: FortiGate-201F
Mode: HA A-A
Group Name: fgt2
Group ID: 128 ----> Changed to 128.
Debug: 0
Cluster Uptime: 32 days 0h:20m:23s
Cluster state change time: 2025-08-28 14:55:12
Primary selected using:

 

Once a group ID was configured/added, the last 4 octets of the virtual MAC address were derived from the group ID.

After that, ping to the gateway should resolve.
207
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.