Description
This article describes how to fix a conflict HA virtual MAC address issue when there is more than one HA cluster in the system and how to configure and use more than one HA cluster in the same network environment.
Solution
When there is more than one HA cluster operating in the same network, it may happen that one FortiGate may not be able to join the expected HA, or it shares the same HA virtual MAC addresses used in the existing HA cluster. This may cause the conflict MAC address issue in the system.
Note:
Due to different reasons, operating multiple HA clusters under the same Security fabric also requires unique HA group-ids, even if they don't reside on the same network.
Example:
There are FortiGates A, B, C, and D.
FortiGate A and B joined as HA1 (A is Active)
FortiGate C and D joined as HA2 (C is Active)
The problem that occurs is that units A and C from different HA groups have the same virtual MAC address.
To fix this issue, consider changing the group ID of HA1 and HA2 to be different by using the following CLI commands.
Note:
Start with the passive units (B and D). Changing the group-id will cause the cluster to disconnect.
So the connection to these units will be lost until the group-ID is also changed in the active units A and C.
At HA1 FortiGate (repeat for HA2, and use a different value):
config system ha
set group-id XX <----- ( XX is an integer value from 0-255).
end
At HA1 FortiGate with VDOM setting (repeat for HA2, and use a different value).
config global
config system ha
set group-id XX <----- ( XX is an integer value from 0-255).
end
end
For example:
HA1’s group-id = 10
HA2’s group-id = 20
