Description
This article describes the investigation and resolution of FortiGate High Availability (HA) failovers caused by intermittent link flapping on monitored interfaces and the use of non-Fortinet compatible SFP modules. It explains the symptoms, root cause analysis, and recommended corrective actions to prevent similar instability in HA environments.
Scope
FortiGate.
Solution
Devices in HA:
- Primary: FG1K5Dxxxxxxxx13.
- Secondary: FG1K5DTxxxxxxxx47.
HA Settings:
- Mode: Active-Passive.
- Heartbeat interfaces: port25, port26.
- Monitored interfaces: port22, port33, port37.
- Priority: 220.
- Override: Disabled.
Interface port37:
- Alias: TO-CORE-9K-SW.
- Mode: DHCP.
- Type: Physical.
- Function: Uplink to Cisco Core Switch.
Problem Description:
An incident may occur where HA failovers are triggered even though heartbeat communication between FortiGate units remains healthy. In this case, heartbeat links over port25 and port26 showed no packet loss, but monitored interface port37 experienced multiple link flaps. Since port37 was part of the HA link-monitor configuration, each flap triggered a health check failure and forced an HA role transition. This resulted in two unnecessary failovers at 15:29 and 16:31 despite stable HA heartbeat connectivity.
<2025-08-01 16:31:17> FG1K5Dxxxxxxxx13 is elected as the cluster primary of 2 member
<2025-08-01 16:31:17> port port37 link status changed: 0->1
<2025-08-01 16:31:16> FG1K5DTxxxxxxxx47 is elected as the cluster primary of 2 member
<2025-08-01 16:31:16> port port37 link status changed: 1->0
<2025-08-01 15:29:47> FG1K5Dxxxxxxxx13 is elected as the cluster primary of 2 member
<2025-08-01 15:29:47> port port37 link status changed: 0->1
<2025-08-01 15:29:46> FG1K5DTxxxxxxxx47 is elected as the cluster primary of 2 member
<2025-08-01 15:29:46> port port37 link status changed: 1->0
The HA failovers were triggered by persistent link flapping on physical interface port37, caused by repeated down/up states. This could be a potential physical layer issue.
Primary FortiGate:
Pri-HUB (global) $ diagnose hardware deviceinfo nic port37
Rx_Internal_Mac_Errors:99
Rx_CRC_Errors :82
FortiGate reveals notable hardware-level errors:
Rx_Internal_Mac_Errors: 99
Rx_CRC_Errors: 82
Rx CRC Errors typically occur due to corrupted Ethernet frames and are commonly associated with faulty cables, dirty fiber connectors, damaged SFP modules, or mismatched transceivers.
Given that port37 is an SFP interface, ensuring the use of a Fortinet-certified transceiver is critical to maintain link stability
Port37 uses an incompatible transceiver.
Interface port37 - SFP/SFP+/SFP28, compliance is unspecified
Vendor Name : OEM
Part No. : GOXP-C96-02
Serial No. : SY1912-LEC000116
Port33, which is also part of the monitored interfaces, has remained stable without any occurrence of link flapping.
Interface port33 - SFP/SFP+/SFP28, 10GBASE-SR
Vendor Name : FORTINET
Part No. : FTLX8574D3BCLFTN
Serial No. : N7NG0Z4
Recommendation:
SFP Module Compatibility:
Replace the current transceiver on port37 with a Fortinet-certified SFP module like one used in port 33. Current hardware was identified as incompatible, which may contribute to instability. Verify all the interfaces. It is recommended to use a Fortinet-certified SFP module.
Cable Integrity Check:
Inspect and replace Ethernet or fiber cables connected to port37, to rule out physical layer faults.
Monitoring post-remediation:
After replacing transceivers and cables, observe port and HA stability over a sustained
period to validate resolution.
