AnsweredChange virtual MAC on WAN 1 in a HA Cluster

Author
AdiMizil
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/28 13:01:17
  • Status: offline
2020/02/12 02:40:28 (permalink)
0

Change virtual MAC on WAN 1 in a HA Cluster

HI Everyone, 
 
I have a pair of 80E running in HA cluster with Dual ISP and SD-WAN enabled on 6.2.3 for the last 3 weeks.  Since I have enabled HA ,  my WAN1 interface keeps going down and up every couple of minutes. ( it gets DOWN on SD WAN Performance SLA due to packet loss).
 
I have troubleshoot it and it appears that it's not receiving back packets from ISP gateway (not receiving reply on the ARP request for gateway MAC address - L2 issue.
 
I opened and incident at my ISP and after troubleshooting they said the issue is with Fortigate which is using same virtual MAC for all firewalls clusters. Most probably there is another cluster in the same subnet on my WAN ( which is part of a /24)
 
Indeed, if you look at the Virtual MAC formula here : https://kb.fortinet.com/kb/documentLink.do?popup=true&externalID=11772&languageId= , unless you change group ID, enable VDOM or virtual cluster will be : 00-09-0f-09-00-00 .  Virtual MAC formula is : 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>
  • The second last part of the virtual MAC address depends on the HA group ID and is the same for each cluster interface. The last part of the virtual MAC address is different for each cluster interface.
 
In this case I would like to change "group ID" on each of the cluster members, starting with slave member and the on the master member. 
 
Q: This change will also change all MAC addresses on all the rest of the interfaces ? Any recommendation ?
 
Kind regards, 
Adi
#1
Johan Witters
Bronze Member
  • Total Posts : 39
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/06/03 04:06:12
  • Location: Belgium
  • Status: offline
Re: Change virtual MAC on WAN 1 in a HA Cluster 2020/02/12 04:24:12 (permalink) ☼ Best Answerby AdiMizil 2020/02/15 01:06:58
0
Hi Adi,
 
changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.
 
But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.
 
Good luck,
 
Johan
#2
AdiMizil
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/12/28 13:01:17
  • Status: offline
Re: Change virtual MAC on WAN 1 in a HA Cluster 2020/02/15 01:08:03 (permalink)
0
wittersjohan
Hi Adi,
 
changing the group ID will change the mac address on all interfaces as all interfaces get a virtual cluster address one HA is configured.
 
But unless you have checks on the current mac address of the fortigates (eg NAC) etc your mac and arp tables should be updated automatically without causing too many issues.
 
Good luck,
 
Johan




 
Hi Johan, 
 
yes, Changing group ID changed MAC on all interfaces and Windows computers showed that annoying screen to chose from Work, Private, Public network  :(. 
 
Kind regards, 
Adi 
#3
Jump to:
© 2020 APG vNext Commercial Version 5.5