Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gravyface
New Contributor

Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared?

Looking into adding an HA unit and configuring an active/standby configuration.

 

Is the MAC address cloned/spoofed/shared via a virtual MAC on the WAN interfaces?

 

i.e. if the Hitron cable modem's inside ethernet interface is on a switch with the HA pair's WAN1 interfaces and the primary unit fails, will the secondary Fortigate ARP reply (gratuitously, presumably) have the same MAC as the primary Fortigate's WAN1 interface?

6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

In a-p mode, HA assigns a virtual MAC address to each interface so all members use the same one when one of them takes over the primary role.

 

Completely unrelated, but a cable provider in TX - Spectrum admitted Hitron modems they installed have issues with VPN traffic. We have a couple of customers with a bunch of their locations in the area experiencing performance issue over our VPN. We're still in the middle of getting them replaced with a different type of modem, like Ubee. They're now saying the manufacturer is aware and providing new firmware to address the issue but we haven't gotten any indication of remote upgrade or unit swap. Just FYI.

gravyface

Strange.  Is that in bridged mode?  You'd think a layer 2 bridge would be immune to IPSec issues.

Toshi_Esumi

I forgot to mention. It's in router mode since we ordered a static IP and they couldn't deliver it with bride mode.

 

 

gravyface

toshiesumi wrote:

I forgot to mention. It's in router mode since we ordered a static IP and they couldn't deliver it with bride mode.

 

 

Really?  That's pretty weird; I'm guessing they do DHCP reservations then.  I'd be shopping around for another ISP because when you have/need a static, 99% of the time you have your own firewall.

Toshi_Esumi

That would be my action. But our provisioning team looked for options at the beginning but came up with Spectrum for 60Mdown level cable internet service with reasonable cost there.

Ashik_Sheik
Contributor II

When a cluster is operating, the FGCP assigns virtual MAC addresses to each primary unit interface. HA uses virtual MAC addresses so that if a failover occurs, the new primary unit interfaces will have the same virtual MAC addresses and IP addresses as the failed primary unit. As a result, most network equipment would identify the new primary unit as the exact same device as the failed primary unit.

If the MAC addresses changed after a failover, the network would take longer to recover because all attached network devices would have to learn the new MAC addresses before they could communicate with the cluster.

If a cluster is operating in NAT/Route mode, the FGCP assigns a different virtual MAC address to each primary unit interface. VLAN subinterfaces are assigned the same virtual MAC address as the physical interface that the VLAN subinterface is added to. Redundant interfaces or 802.3ad aggregate interfaces are assigned the virtual MAC address of the first interface in the redundant or aggregate list.

If a cluster is operating in Transparent mode, the FGCP assigns a virtual MAC address for the primary unit management IP address. Since you can connect to the management IP address from any interface, all of the FortiGate interfaces appear to have the same virtual MAC address.

Sheik Mahammad Ashik
Sheik Mahammad Ashik
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors