Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
darrencarr
New Contributor II

MAC-ADDRESS flapping, please help

Hi all I have an issue with a MAC-ADDRESS flapping in my network on one of the routers that links two of our sites. The MAC-ADDRESS that is flapping is the virtual MAC-ADDRESS of physical port that is patched into the switch at site two (right hand side as you look at the diagram). At each site there are two Fortigate 1000A running in an A-P cluster. HA enabled on port 10. At the HQ site Port 8 of the firewall is configured with three vlan interfaces 32, 1030, 1332. A trunk connection then links the firewalls to the DMZ switches. The trunk is configured to carry these VLANs only. For redundancy VLAN1030 (WAN link to DR site) is patched into port 34 on DMZSWITCH1, VLAN1332 (WAN link to DR site) is patched into port 33 on DMZSWITCH2. Both are configured as access ports. At the DR site Port 8 of the firewall is configured with three vlan interfaces 32, 1030, 1332. I currently have a single point of failure with the switch which will be resolved next week. Currently port 4 of the switch is an acess port in vlan 1029, port 7 is an access port in vlan 1332 and ports 5 and 6 are configured as trunk ports carrying these vlans only. There is a difference in vlans for vlans 1029, vlan1030 (the tag is removed by the isp as it passes over the link). This link is operating just fine. I have a problem with the VLAN1332 link in that INT4 is showing that the link is flapping the MAC-ADDRESS is that of the Fortigate. I have adjusted the GROUP_ID of the clusters so this is not causing the issue. Can anyone advise? I am struggling here? Thanks
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
2 REPLIES 2
emnoc
Esteemed Contributor III

Does your cisco log the mac-address that' s flapping? You obviously have L2 info being picked up by at least 2 interfaces. I would look at the L2 FDB ( show mac-add dyn vlan xxxxx ) and compare all interfaces and re audit their configurations. Maybe that vlan is spanned onto a trunk port but should have been pruned.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
darrencarr
New Contributor II

Hi I don' t have access to the switches as they are provided by an ISP. I' ve been on at the ISP to check them since I was told there was a MAC-ADDRESS flapping by their engineer... However, since then, I spoke to them this morning and it turns out the problem was that one of the switch ports had not negotiated the duplex correctly! and was operating at half!! The engineer at the NOC changed the config and all is now ok! Not quite sure how the engineers got the two issues confused? but all is now good! Please close off this. Cheers Darren
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors