Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AdiMizil
New Contributor III

Change virtual MAC on WAN 1 in a HA Cluster

HI Everyone, 

 

I have a pair of 80E running in HA cluster with Dual ISP and SD-WAN enabled on 6.2.3 for the last 3 weeks.  Since I have enabled HA ,  my WAN1 interface keeps going down and up every couple of minutes. ( it gets DOWN on SD WAN Performance SLA due to packet loss).

 

I have troubleshoot it and it appears that it's not receiving back packets from ISP gateway (not receiving reply on the ARP request for gateway MAC address - L2 issue.

 

I opened and incident at my ISP and after troubleshooting they said the issue is with Fortigate which is using same virtual MAC for all firewalls clusters. Most probably there is another cluster in the same subnet on my WAN ( which is part of a /24)

 

Indeed, if you look at the Virtual MAC formula here : https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=11772&languageId= , unless you change group ID, enable VDOM or virtual cluster will be : 00-09-0f-09-00-00 .  Virtual MAC formula is : 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>

[ul]
  • The second last part of the virtual MAC address depends on the HA group ID and is the same for each cluster interface. The last part of the virtual MAC address is different for each cluster interface.[/ul]

     

    In this case I would like to change "group ID" on each of the cluster members, starting with slave member and the on the master member. 

     

    Q: This change will also change all MAC addresses on all the rest of the interfaces ? Any recommendation ?

     

    Kind regards, 

    Adi

  • 1 Solution
    Johan_Witters
    Contributor

    Hi Adi,

     

    changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

     

    But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

     

    Good luck,

     

    Johan

    Johan Witters

    Network & Security Engineer

    FCNSP V4/V5

     

    BKM NV

    View solution in original post

    2 REPLIES 2
    Johan_Witters
    Contributor

    Hi Adi,

     

    changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

     

    But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

     

    Good luck,

     

    Johan

    Johan Witters

    Network & Security Engineer

    FCNSP V4/V5

     

    BKM NV

    AdiMizil

    wittersjohan wrote:

    Hi Adi,

     

    changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.

     

    But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.

     

    Good luck,

     

    Johan

     

    Hi Johan, 

     

    yes, Changing group ID changed MAC on all interfaces and Windows computers showed that annoying screen to chose from Work, Private, Public network  :(. 

     

    Kind regards, 

    Adi