Technical Tip: Best practice HA monitored interface configuration for LACP interface that is used for multicast traffic.

This article will serve as a guide on how to configure the LACP interface on HA-monitored interfaces when LACP is used for multicast traffic.

Below shows the interfaces that are part of the  LACP configuration.

FGTA-MCAST # diag netlink aggregate name LACPMcastServer

status: up

npu: n

flush: n

asic helper: y

ports: 2

link-up-delay: 50ms

min-links: 1

ha: master

distribution algorithm: L4

LACP mode: static

slave: port3

  index: 0

  link status: up

  link failure count: 0

  permanent MAC addr: 00:0c:29:09:75:6f

slave: port4

  index: 1

  link status: up

  link failure count: 0

  permanent MAC addr: 00:0c:29:09:75:79

• On HA configuration, instead of placing the LACP interface, the individual interfaces that are members of the LACP.

FGTA-MCAST (ha) # show

config system ha

    set group-name "FGT_Multicast"

    set mode a-p

    set password ENC 

    set hbdev "port5" 0

    set ha-mgmt-status enable

        config ha-mgmt-interfaces

            edit 1

                set interface "port1"

                set gateway 100.100.100.2

            next

        end

    set override enable

    set priority 200

    set monitor "port2" "port3" "port4"

end

• With this configuration, if failover is triggered from Primary to Secondary FortiGate, the multicast traffic will establish without any delay.

get system ha status

HA Health Status: OK

Model: FortiGate-VM64

Mode: HA A-P

Group: 0

Debug: 0

Cluster Uptime: 0 days 0:30:17

Cluster state change time: 2022-06-17 21:32:28

Primary selected using:<2022/06/17 21:32:28> FGVM04TM22004042 is selected as the primary because it has the largest value of override priority.

• Screenshot of the Multicast traffic when a failover was done.

Note: If the LACP interface itself is used on the HA-monitored interfaces, HA monitoring will be delayed when detecting the LACP interface, and this can cause delays in establishing LACP traffic during a FortiGate HA failover.

Note 2: In this example, HA is monitoring the physical member ports (port2/port3/port4) instead of the LACP aggregate. This provides faster detection of link issues, but with 'min-links=1', it also means that the loss of a single member can already trigger an HA failover even though the aggregate is still operational.

Note 3: The aggregate interface on both units will only be shown as up if the downstream switch supports Multiple Link Aggregation (MCLAG) grouping. If the downstream switch does not support MCLAG configuration or HA has been configured with 'set lacp-ha-secondary disable', only the LACP interface on the Primary unit will be shown as up.

The example output is as follows:

FGT02 # get system ha status
HA Health Status:
WARNING: FG7H0GTB25000130 has mondev down;
Model: FortiGate-700G
Mode: HA A-P
Group Name: Internal_Test_HA
Group ID: 0
Debug: 0
Cluster Uptime: 249 days 14h:29m:33s
Cluster state change time: 2026-01-21 07:38:41
Primary selected using:
<2026/01/21 07:30:15> vcluster-1: FG7H0GTB25000093 is selected as the primary because the value of link-failure + pingsvr-failure is less than peer member FG7H0GTB25000130.
<2026/01/21 07:21:41> vcluster-1: FG7H0GTB25000093 is selected as the primary because it's the only member in the cluster.
<2026/01/21 07:20:50> vcluster-1: FG7H0GTB25000093 is selected as the primary because UPGRADE_SECONDARY flag is set on peer member FG7H0GTB25000130.
<2026/01/21 07:15:08> vcluster-1: FG7H0GTB25000130 is selected as the primary because UPGRADE_PRIMARY flag is unset on peer member FG7H0GTB25000093.
ses_pickup: enable, ses_pickup_delay=disable
override: enable
Configuration Status:
FG7H0GTB25000093(updated 2 seconds ago): in-sync
FG7H0GTB25000093 chksum dump: ea 97 9d 48 fe 7c 1e de 74 70 f5 45 e9 73 f5 41
FG7H0GTB25000130(updated 0 seconds ago): in-sync
FG7H0GTB25000130 chksum dump: ea 97 9d 48 fe 7c 1e de 74 70 f5 45 e9 73 f5 41
System Usage stats:
FG7H0GTB25000093(updated 2 seconds ago):
sessions=16852, average-cpu-user/nice/system/idle=2%/0%/0%/97%, memory=31%
FG7H0GTB25000130(updated 0 seconds ago):
sessions=6580, average-cpu-user/nice/system/idle=0%/0%/0%/100%, memory=29%
HBDEV stats:
FG7H0GTB25000093(updated 2 seconds ago):
port16: physical/1000auto, up, rx-bytes/packets/dropped/errors=259709191/762656/0/0, tx=4026776912/3663672/0/0
FG7H0GTB25000130(updated 0 seconds ago):
port16: physical/1000auto, up, rx-bytes/packets/dropped/errors=4026269720/3660675/0/0, tx=257366520/759304/0/0
MONDEV stats:
FG7H0GTB25000093(updated 2 seconds ago):
LAN: aggregate/00, up, rx-bytes/packets/dropped/errors=121031237013/158918232/0/0, tx=178325714066/183507039/0/0
port9: physical/1000auto, up, rx-bytes/packets/dropped/errors=111081054405/110361934/0/0, tx=109835843246/161131807/0/0
port12: physical/1000auto, up, rx-bytes/packets/dropped/errors=26855123347/24222228/0/0, tx=7924589044/12522561/0/0
FG7H0GTB25000130(updated 0 seconds ago):
LAN: aggregate/00, down, rx-bytes/packets/dropped/errors=385152/3009/0/0, tx=352896/2757/0/0
port9: physical/1000auto, up, rx-bytes/packets/dropped/errors=2469704/33443/0/0, tx=0/0/0/0
port12: physical/1000auto, up, rx-bytes/packets/dropped/errors=2098590/27368/0/0, tx=0/0/0/0
number of member: 2
FGT02 , FG7H0GTB25000093, HA cluster index = 1
FGT01 , FG7H0GTB25000130, HA cluster index = 0
number of vcluster: 1
vcluster 1: work 169.254.0.2
Primary: FG7H0GTB25000093, HA operating index = 0
Secondary: FG7H0GTB25000130, HA operating index = 1

Related documents:

Aggregation and redundancy
Technical Tip: Aggregate link configuration topologies in a High Availability cluster  

Technical Tip: LACP behavior in an HA cluster