Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fatihak
New Contributor

Switch forwards packets to Fortigates as if there is load balance, but there is no load balance

I have 2 fortigate clusters on my network. One is for sslvpn and the other one is for the internet(rest of the traffic other than sslvpn). They are connected to the internet router via a switch in between. They both have different public IP addresses, however, when i ping sslvpn firewall from outside, packets arrive to both internet and sslvpn firewalls as if there is a load balance (I sniff the trafic using sniffer command). It is very confusing bcs the IP addresses are different and there is no load balance at all. What can be the reason behind? Or do you have any other recommendations for tshoot? Thx in advance 

sslvpn -> 400F (active passive ha)
Internet -> 600E (active passive ha)

1 Solution
atakannatak
New Contributor III

Hi @fatihak ,

 

In your network structure, this issue likely arises because both cluster firewalls are connected to the same Layer 2 segment and may have the same MAC addresses on the relevant switch.

 

After checking the MAC addresses of the firewalls in the cluster, if they are using the same values, you can change the group-id value in the HA configuration by following this document. This will generate a unique MAC address using the specified group-id value.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-conflict-HA-virtual-MAC-address-in-the-d...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Cluster-virtual-MAC-addresses/ta-p/1942...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak

View solution in original post

Atakan Atak
2 REPLIES 2
ozkanaltas
Valued Contributor III

Hello @fatihak ,

 

When you look at the arp table of the switch to which the FortiGates are connected, can you see the macs of the FortiGates separately?

 

Also, are the public IP subnets defined in FortiGates different or the same?

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
atakannatak
New Contributor III

Hi @fatihak ,

 

In your network structure, this issue likely arises because both cluster firewalls are connected to the same Layer 2 segment and may have the same MAC addresses on the relevant switch.

 

After checking the MAC addresses of the firewalls in the cluster, if they are using the same values, you can change the group-id value in the HA configuration by following this document. This will generate a unique MAC address using the specified group-id value.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-conflict-HA-virtual-MAC-address-in-the-d...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-HA-Cluster-virtual-MAC-addresses/ta-p/1942...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

Atakan Atak
Atakan Atak
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors