Hot!Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared?

Author
gravyface
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/06 05:19:49
  • Status: offline
2018/09/21 14:38:41 (permalink)
0

Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared?

Looking into adding an HA unit and configuring an active/standby configuration.
 
Is the MAC address cloned/spoofed/shared via a virtual MAC on the WAN interfaces?
 
i.e. if the Hitron cable modem's inside ethernet interface is on a switch with the HA pair's WAN1 interfaces and the primary unit fails, will the secondary Fortigate ARP reply (gratuitously, presumably) have the same MAC as the primary Fortigate's WAN1 interface?
#1

6 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1261
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/21 15:07:36 (permalink)
    0
    In a-p mode, HA assigns a virtual MAC address to each interface so all members use the same one when one of them takes over the primary role.
     
    Completely unrelated, but a cable provider in TX - Spectrum admitted Hitron modems they installed have issues with VPN traffic. We have a couple of customers with a bunch of their locations in the area experiencing performance issue over our VPN. We're still in the middle of getting them replaced with a different type of modem, like Ubee. They're now saying the manufacturer is aware and providing new firmware to address the issue but we haven't gotten any indication of remote upgrade or unit swap. Just FYI.
    #2
    gravyface
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/06 05:19:49
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/21 16:11:08 (permalink)
    0
    Strange.  Is that in bridged mode?  You'd think a layer 2 bridge would be immune to IPSec issues.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1261
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/21 16:17:30 (permalink)
    0
    I forgot to mention. It's in router mode since we ordered a static IP and they couldn't deliver it with bride mode.
     
     
    #4
    gravyface
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/06 05:19:49
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/21 16:22:30 (permalink)
    0
    toshiesumi
    I forgot to mention. It's in router mode since we ordered a static IP and they couldn't deliver it with bride mode.
     
     



    Really?  That's pretty weird; I'm guessing they do DHCP reservations then.  I'd be shopping around for another ISP because when you have/need a static, 99% of the time you have your own firewall.
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1261
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/21 16:35:55 (permalink)
    0
    That would be my action. But our provisioning team looked for options at the beginning but came up with Spectrum for 60Mdown level cable internet service with reasonable cost there.
    #6
    Ashu
    Gold Member
    • Total Posts : 141
    • Scores: 12
    • Reward points: 0
    • Joined: 2015/04/17 04:33:45
    • Location: Muscat,Oman
    • Status: offline
    Re: Fortigate 5.6.2: HA Active/Standby: MAC address on WAN interfaces shared? 2018/09/22 05:09:08 (permalink)
    0
    When a cluster is operating, the FGCP assigns virtual MAC addresses to each primary unit interface. HA uses virtual MAC addresses so that if a failover occurs, the new primary unit interfaces will have the same virtual MAC addresses and IP addresses as the failed primary unit. As a result, most network equipment would identify the new primary unit as the exact same device as the failed primary unit.
    If the MAC addresses changed after a failover, the network would take longer to recover because all attached network devices would have to learn the new MAC addresses before they could communicate with the cluster.
    If a cluster is operating in NAT/Route mode, the FGCP assigns a different virtual MAC address to each primary unit interface. VLAN subinterfaces are assigned the same virtual MAC address as the physical interface that the VLAN subinterface is added to. Redundant interfaces or 802.3ad aggregate interfaces are assigned the virtual MAC address of the first interface in the redundant or aggregate list.
    If a cluster is operating in Transparent mode, the FGCP assigns a virtual MAC address for the primary unit management IP address. Since you can connect to the management IP address from any interface, all of the FortiGate interfaces appear to have the same virtual MAC address.

    Ashu 
     
    #7
    Jump to:
    © 2018 APG vNext Commercial Version 5.5