Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

MAC address changes on default gateway -> sessions not updated

we have the following configuration at a customer: the default gateway of the fortigate is a checkpoint cluster. when a failover occurs on the checkpoint cluster, the fortigate seems to receive the change. I can see that the ARP table has been updated and the IP address of the default gateway points to the new MAC address of the other checkpoint cluster member. new sessions are working properly. but existing sessions don' t work anymore. it seems they are routed to the MAC address of the failed cluster member. I have to kill the session on the fortigate or waiting for the session timeout to occur. is this behaviour by design? shouldn' t the Fortigate update all the sessions which point to the wrong MAC address?
5 REPLIES 5
UkWizard
New Contributor

This behaviour would be very odd, as the MAC is at the hardware level. Are you sure its not the checkpoint dropping the sessions during the failover? In the past when i worked on checkpoints, they used to use a virtual MAC address anyway, so this couldn' t happen. Does sound to me like the checkpoint is the more likely cuplrit. Else its a very bizarre fault.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Not applicable

I don' t think its Checkpoint. because TCP sessions (like SSH and HTTP) are working fine. but not ICMP. the customer is now trying with UDP (TFTP). it' s reproducable: a Ping -t won' t work after a Checkpoint failover anymore, but it starts to work again just after a manual session kill on the Fortigate. the Checkpoint doesn' t seem to use a virtual MAC but a virtual IP. at a cluster failover I can see a MAC change on the gateway IP: normal 10.19.219.4 0 00:0e:0c:80:c0:e4 port6 (virtual IP?) 10.19.219.5 0 00:04:23:ce:01:00 port6 (member1) 10.19.219.6 0 00:0e:0c:80:c0:e4 port6 (member2) Failover 10.19.219.4 0 00:04:23:ce:01:00 port6 10.19.219.5 0 00:04:23:ce:01:00 port6 10.19.219.6 0 00:0e:0c:80:c0:e4 port6
UkWizard
New Contributor

I still think you will find this is a checkpoint issue. firewall failover normally have limitations like this. If TCP is working fine, then surely cust isnt going to notice anyway. You could do a packet sniff on the internal interface of the fortinet, this will prove whether its even seeing the traffic coming in.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
Not applicable

I' ll try sniffing next week... (" diag sniffer packet" if I remember ?)
red_adair
New Contributor III

" normally" a Cluster should send out a GARP when switchover occurs. I also recall that CHKPT _can_ use some strange Multicast based HA (Unicast IP with Multicast Mac) (although in your example they look unicast :) When sniffing - keep an eye on ARPs, if you see a GARP being sent out. Otherwise it' s " normal" that the FGT will not relearn the Address until the MAc Table times out. You can verify this by manually clear ARP cache on FGT after CHKPT Failover happens. -R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors