Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎11-17-2022 07:31 AM Edited on ‎06-12-2025 05:43 AM By Community Manager

Article Id 230170

Troubleshooting Tip: PPPoE fails to form on WAN1/2 when FortiGate in HA Cluster

Description This article describes how to troubleshoot an issue where PPPoE does not form on WAN1/2 when FortiGate is in an HA Cluster.
Scope FortiGate.
Solution

Check group-id and change the value to a random number:

Sometimes, issues on only one WAN interface occur when trying to form a PPPoE connection, despite how the PPPoE connection forms correctly when trying from a laptop or in any other interface. 

 

This article assumes the following:

  1. FortiGate is operating in a cluster.
  2. All PPPoE credentials are correct.
  3. A PPPoE connection forms successfully when tested on another device/port.


When operating in a cluster interface, each FortiGate is assigned a virtual MAC address. The virtual MAC address is determined based on the following formula on virtual cluster 1:

 

00-09-0f-09-<group-id_hex>- (<vcluster_integer> <idx>) <----- <group-id_hex> is the HA Group ID for the cluster, converted to hexadecimal.

 

To view and check the MAC address of the interfaces the following commands can be run:

 

diagnose hardware deviceinfo nic <port>

 

Or:

 

config system interface
    edit <port>
get

 

This will show all related information to that particular port.

 

By default, the group ID of all HA clusters is 0. 

If there is another HA cluster connected to the same PPPoE server, the virtual MAC may cause issues in forming the PPPoE connection. Change the group ID value in the HA config to fix this issue:


config system ha

    set group-id <integer value>

end

 

Afterward, try to reform the PPPoE connection. If issues persist, run the following commands to troubleshoot the issue:

diagnose debug console timestamp enable
diagnose debug app ppp -1
diagnose debug app pppoed -1
diagnose debug enable

 

To stop debugging:

 

diagnose debug disable


Disable debugging with 'diag debug disable' when finished. Additionally, run a packet sniffer:


diagnose sniffer packet <PPPoE_INTERFACE_NAME> 6 0 l

 

Press CTRL+C to stop the packet sniffer at any time.

 

In the case where the customer does not agree to change the group-id.  Another option to solve the issue is:

 

  • Creating an EMAC VLAN underneath the HA wan1 network interface. This creates a MAC address that is unique on the ISP network and the PPPoE connection will come up.

For more info on troubleshooting PPPoE connections, refer to the following KB article: Technical Tip: Troubleshooting PPPoE connection failed
6122
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.