Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.6.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Appendix I: Troubleshooting HA connectivity

    Appendix I: Troubleshooting HA connectivity

    FortiDDoS HA depends on transmission of Layer 2 Multicast MAC addresses to the HA partner. To confirm quality transmission:

    1. Set up HA on both devices.

    2. If the HA pair does not join – Primary Dashboard panel does NOT look like this:

      Take the next steps to confirm HA packets are passing end-to-end:

    3. On the Primary, set up a packet capture (Network > Packet Capture):

      Note, use Tx only.

      Enter this in the filter field: ether host 01:00:5e:00:00:01

      01:00:5e:00:00:01 is a multicast MAC address and all devices on the “LAN” will see this packet.

    4. Save and start the capture on the Primary, using the Play icon on the right side of the GUI.

    5. Create Packet Capture filter on the Secondary system:

      Note, use Rx only.

      Enter the same Multicast MAC address in the filter field: ether host 01:00:5e:00:00:01

    6. Save and start the capture on the Secondary, using the Play icon on the right side of the GUI.

    7. Return to the Primary and a file should be ready to download via the download icon on the right side of the GUI. If there is no file, contact Fortinet.

    8. If the file is there, download and open the file in Wireshark. It should look like this:

      Note the timestamps. This sample is sending 1 packet every 200ms (or 5pps) which matches the default entry of “2” in the System > High Availability configuration field Detection Interval (100ms). If you have changed the interval from default, the timestamps should match your entry.

      Ignore the IP addresses. The Port number should be 6065 for HA heartbeats.

    9. If you look in the hex decode panel, you will see some system information for the Release (6.5.1 in the sample) and The Serial Number of the Primary system sending the packets (FI1K4FTE20000005 in the sample):

    10. 10) Return to the Secondary and see if a file is available to download.

      1. a. If there is no file ready to download, HA multicast MAC packets are not reaching the Secondary system. Troubleshoot across the network to understand what is blocking Layer 2 Multicast MAC transmission FortiDDoS to FortiDDoS.

        DO NOT be confused by the L3 Multicast IP address (129.0.0.1) shown in the pcap. FortiDDoS does not support L3 Multicast and does not send IGMP join messages. It uses Layer 2 MAC Multicast only.

      2. b. If there is a file, download and open in Wireshark. It should be identical to the capture above since the system is listening for these MAC packets.

    11. Note the timestamps again. Each should be about 200ms apart. If any are missing, something may be interfering with Multicast MAC transmission.

    12. To be sure, you can also reverse the process, creating a new Packet Capture for Rx multicast MAC packets on the Primary and a Tx Packet Capture on the Secondary. The Secondary Serial Number should show in these captures and the timestamps should be 200ms apart or whatever your interval setting is.

    13. If you need support for this, contact FortiCare.

    Previous
    Next

    Appendix I: Troubleshooting HA connectivity

    Appendix I: Troubleshooting HA connectivity

    FortiDDoS HA depends on transmission of Layer 2 Multicast MAC addresses to the HA partner. To confirm quality transmission:

    1. Set up HA on both devices.

    2. If the HA pair does not join – Primary Dashboard panel does NOT look like this:

      Take the next steps to confirm HA packets are passing end-to-end:

    3. On the Primary, set up a packet capture (Network > Packet Capture):

      Note, use Tx only.

      Enter this in the filter field: ether host 01:00:5e:00:00:01

      01:00:5e:00:00:01 is a multicast MAC address and all devices on the “LAN” will see this packet.

    4. Save and start the capture on the Primary, using the Play icon on the right side of the GUI.

    5. Create Packet Capture filter on the Secondary system:

      Note, use Rx only.

      Enter the same Multicast MAC address in the filter field: ether host 01:00:5e:00:00:01

    6. Save and start the capture on the Secondary, using the Play icon on the right side of the GUI.

    7. Return to the Primary and a file should be ready to download via the download icon on the right side of the GUI. If there is no file, contact Fortinet.

    8. If the file is there, download and open the file in Wireshark. It should look like this:

      Note the timestamps. This sample is sending 1 packet every 200ms (or 5pps) which matches the default entry of “2” in the System > High Availability configuration field Detection Interval (100ms). If you have changed the interval from default, the timestamps should match your entry.

      Ignore the IP addresses. The Port number should be 6065 for HA heartbeats.

    9. If you look in the hex decode panel, you will see some system information for the Release (6.5.1 in the sample) and The Serial Number of the Primary system sending the packets (FI1K4FTE20000005 in the sample):

    10. 10) Return to the Secondary and see if a file is available to download.

      1. a. If there is no file ready to download, HA multicast MAC packets are not reaching the Secondary system. Troubleshoot across the network to understand what is blocking Layer 2 Multicast MAC transmission FortiDDoS to FortiDDoS.

        DO NOT be confused by the L3 Multicast IP address (129.0.0.1) shown in the pcap. FortiDDoS does not support L3 Multicast and does not send IGMP join messages. It uses Layer 2 MAC Multicast only.

      2. b. If there is a file, download and open in Wireshark. It should be identical to the capture above since the system is listening for these MAC packets.

    11. Note the timestamps again. Each should be about 200ms apart. If any are missing, something may be interfering with Multicast MAC transmission.

    12. To be sure, you can also reverse the process, creating a new Packet Capture for Rx multicast MAC packets on the Primary and a Tx Packet Capture on the Secondary. The Secondary Serial Number should show in these captures and the timestamps should be 200ms apart or whatever your interval setting is.

    13. If you need support for this, contact FortiCare.

    Previous
    Next