When employing ClusterXL HA, the "use VMAC" option is unchecked by default and my opinion is that it should be left that way if possible. Failovers will utilize the Gratuitous ARP mechanism when the VMAC box is unchecked, and that will usually work just fine in most networks. However if "slow" or incomplete failovers for all NAT addresses are encountered, VMAC can be enabled but it may honk of the switching infrastructure (and STP) in various ways as described above. At a minimum, make sure portfast is configured on the firewall's switchports if you plan to enable VMAC...
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm