Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cyodesigns
New Contributor

Fortigate HA port(s) MAC addresses not showing up in L2 network

Hi,

 

I have an active/active cluster of 2 x 3200D's. There are 2 ports dedicated to HA communication, port47 and port48. In order to see these HA port's physical and virtual MAC addresses, I do this:

 

FGT-3200D (root) # diagnose sys ha mac

[... other interfaces which have VLAN(s) attached for user data ...]

prio=0, phy_index=46, itf_name=port47, mac=e8.1c.ba.x.x.x, vmac=00.09.0f.09.00.2e, linkfail=0

prio=0, phy_index=47, itf_name=port48, mac=e8.1c.ba.x.x.x, vmac=00.09.0f.09.00.2f, linkfail=0

[... other interfaces which have VLAN(s) attached for user data ...]

Unlike the interfaces for user data, where I can see the HA VMAC on the L2 infrastructure of the network, I cannot see the HA specific VMACs (00.09.0f.09.00.2e and 00.09.0f.09.00.2f above) on the L2 infrastructure. The cables from ports47 and 48 do go into switches and are not directly connected. And I do see the physical HA MAC addresses on the switches!

Can someone explain why I cannot see the VMACs of the HA interfaces in the L2 network?

 

Thanks

Mark

1 Solution
gfleming
Staff
Staff

As far as I am aware, HA ports do not use vmacs in the infrastructure. They use real MACs and establish IP connectivity using the real MACs. vmacs are only used on interfaces participating in HA failover for user traffic flows (so endpoints know which FW to talk to). Your HA ports are not providing connectivity to any other device besides the FortiGates so there is no need to advertise or use the vmac for this connectivity.

Cheers,
Graham

View solution in original post

3 REPLIES 3
gfleming
Staff
Staff

As far as I am aware, HA ports do not use vmacs in the infrastructure. They use real MACs and establish IP connectivity using the real MACs. vmacs are only used on interfaces participating in HA failover for user traffic flows (so endpoints know which FW to talk to). Your HA ports are not providing connectivity to any other device besides the FortiGates so there is no need to advertise or use the vmac for this connectivity.

Cheers,
Graham
cyodesigns

Thanks Graham. Makes sense. Though slightly confusing for me that in the GUI it shows the VMAC :)

gfleming

Yes I agree it's a bit confusing. But as soon as you enable HA the system generates vMACs for all interfaces.

Cheers,
Graham
Labels
Top Kudoed Authors