• In an NSX-T environment, customers running virtual WatchGuard Firewalls (FireboxV) in an Active-Standby FireCluster configuration may experience WAN traffic loss when the standby firewall is powered on.
• The FireCluster operates as expected after initial deployment and during manual failover (for example, when the active node is gracefully shut down). However, when the previously powered-off standby node is powered back on, external (WAN) connectivity fails, while internal communication continues to function normally.
• Packet capture shows that return traffic from the Tier-0 gateway is redirected to the standby firewall VM and dropped.

VMware NSX

When the WatchGuard VM modifies the ethX interface MAC address to a virtual MAC (vMAC), both the active and standby firewalls use the same MAC address.

This vMAC is reported to the NSX Central Control Plane and shared to all Transport Nodes including the Tier-0 Edges. The Edge treats this vMAC as a static MAC, which prevents dynamic learning or updates from user traffic (such as ARP or GARP).

As a result, if both firewalls advertise the same vMAC, and the last vMAC-to-VTEP mapping is reported from the standby VM/ESXi host, the return traffic is directed to the standby node, where it is dropped.

Do not modify the ethX interface MAC address to a vMAC.
Each WatchGuard VM (active and standby) should retain its unique VMware-assigned MAC address.

This configuration ensures that:

• Each firewall maintains a distinct vNIC MAC, preventing static MAC conflicts across Transport Nodes.
• The vMAC used for traffic transmission remains dynamically learned, allowing NSX components to update MAC-to-VTEP mappings properly during failover events.

If the MAC change cannot be avoided due to product limitation, there is no current workaround available from Broadcom.

This behavior does not occur with FortiGate VMs in similar Active-Standby configurations, as FortiGate does not overwrite the vNIC MAC address with the vMAC.