HI Everyone,
I have a pair of 80E running in HA cluster with Dual ISP and SD-WAN enabled on 6.2.3 for the last 3 weeks. Since I have enabled HA , my WAN1 interface keeps going down and up every couple of minutes. ( it gets DOWN on SD WAN Performance SLA due to packet loss).
I have troubleshoot it and it appears that it's not receiving back packets from ISP gateway (not receiving reply on the ARP request for gateway MAC address - L2 issue.
I opened and incident at my ISP and after troubleshooting they said the issue is with Fortigate which is using same virtual MAC for all firewalls clusters. Most probably there is another cluster in the same subnet on my WAN ( which is part of a /24)
Indeed, if you look at the Virtual MAC formula here : https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=11772&languageId= , unless you change group ID, enable VDOM or virtual cluster will be : 00-09-0f-09-00-00 . Virtual MAC formula is : 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>
[ul]
In this case I would like to change "group ID" on each of the cluster members, starting with slave member and the on the master member.
Q: This change will also change all MAC addresses on all the rest of the interfaces ? Any recommendation ?
Kind regards,
Adi
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Adi,
changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.
But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.
Good luck,
Johan
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Hi Adi,
changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.
But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.
Good luck,
Johan
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
wittersjohan wrote:Hi Adi,
changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.
But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.
Good luck,
Johan
Hi Johan,
yes, Changing group ID changed MAC on all interfaces and Windows computers showed that annoying screen to chose from Work, Private, Public network :(.
Kind regards,
Adi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.