Technical Tip: Managed FortiSwitch VLAN interface shows the same MAC address on two independent FortiGate HA pairs

vpatil · ‎10-29-2022

Description

This article describes the user impact when a Managed FortiSwitch VLAN interface shows the same MAC address on two independent FortiGate HA pairs.

Scope

FortiGate-100F v7.0.6 build0366; MCLAG-ICL FSW-424E v7.2.1 build0406; Both FortiGate sites are interconnected using FortiSwitch port5 (MPLS link).

Solution

1) FortiGate at one site cannot ping FortiGate at another site - VLAN92 interface IP addresses are not ping-able from both sites.

2) LAN Users connected to the VLAN on the FortiSwitch port sometimes cannot ping the VLAN gateway. Users may sometimes experience packet loss in the network.

3) Both the FortiGate VLAN92 interface and other VLAN interfaces show the same MAC address 'XX:XX:XX:XX:00:12' (the actual MAC address has been obfuscated in this article):

4) Both FortiGate locations have the same FortiGate (FortiGate-100F) and have the default group-id 0 under 'config system ha', which generates the same MAC address. This is an expected behaviour.

Change the HA group ID of one of the locations to avoid MAC address conflicts. This will change the virtual MAC address of all cluster interfaces for that location.

To change the HA Group ID from the FortiGate CLI, run the following:

# config system ha
set group-id <id_integer>
end

The ID integer range is from 0-255.

Related documents:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/996579/cluster-virtual-mac-addresses
https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/564710/cluster-virtual-mac-a...