Description
EMC Celerra systems have an option to bypass its routing table and ARP table called 'IP reflect' (which may be activated per default).
When this option is enabled, the EMC Celerra server would respond to a query by reversing the source MAC and destination MAC address of the query packet.
For example, if the query packet hits the server with source MAC 'src_mac' and destination MAC 'dst_mac', the server would use for the response packet a source MAC 'dst_mac' and destination MAC 'src_mac'.
This feature from the EMC Celerra system is not compatible with FortiGate HA clustering protocol which requires the server to use as FortiGate MAC address, the FortiGate cluster virtual MAC address which is advertised by the FortiGate in its ARP response.
When used in HA, it is expected to see a FortiGate sourcing its packet using its NIC MAC address (and not always the virtual MAC address) however the FortiGate expects to see a response targeted with its HA virtual MAC. This is the reason why the EMC Celerra system 'IP reflect' feature is not compatible with a FortiGate HA cluster.
Similar feature may be seen on products from other vendors and therefore would experience the same incompatibility (For example: NetCache).
Scope
Solution
The IP Reflect feature should be disabled on the EMC Celerra server.
