| To understand the structure of fragmented packets and the current LACP logic to process them: - Understand the structure of fragmented packets:
- The first fragment contains both IP and transport-layer headers (TCP/UDP/ICMP).
- Subsequent fragments contain only the IP header and payload portions.
-
Current FortiOS LACP original processing for fragmented packets: - In the L4 hashing algorithm, if an IPv4 packet is a fragment (it has an MF (More Fragment) or an OFFSET flag), then it would switch to L3 hashing, which hashes totally based on source IP address and destination IP address.
Therefore, all IP fragments of the same IP packet would have the same egress port. - Test the software Link Aggregation Group (LAG) selected distribution port by running:
diagnose netlink aggregate port lag1 src-ip 10.33.46.130 dst-ip 10.3.77.220 proto 17 src-port 64123 dst-port 5060 frag flag <-- L3+L4 headers and a MF(More Fragment) flag.
diagnose netlink aggregate port lag1 src-ip 10.33.46.130 dst-ip 10.3.77.220 frag offset <-- L3 headers and a OFFSET flag. To understand what different logics per platforms. - NP6 Platform: No additional hash execution on the NP layer in case of using the default configuration. Follow the software logic decision.
FG1 (global) # config system npu
FG1 (npu) # set lag-out-port-select enable
FG1 (npu) # end
All LAG algorithm will be changed to hiding npu.
The configuration will take effect after system reboot.
Do you want to continue? (y/n)y disable: default, enable: Executing additional hash logic. -
NP7 Platform: Additional hash execution (CRC16 hash), does not follow the Software logic decision. LAG with L4 hash leads to different ports being used (First Fragmented packet: A, Other Fragmented packet: B). -
Chassis Platform: Using IP Identification on the IP Header to send a fragmented packet to a single port on a LAG with additional configuration. To resolve the issue of fragmented packets being sent over different member interfaces in a FortiGate LACP environment, follow these steps: - Understand what issue happened. By default, FortiGate takes into account the fragmented packets to use the same port on LACP. However, for fragmented packets, the L4 hashing algorithm only applies to the first fragment, and subsequent fragments are hashed based on the IP addresses only, so it could make out of order issue.
This issue was reported on the NP7-based FortiGate model.
- Identify the FortiGate version being used. The issue of fragmented packets being sent over different member interfaces was fixed in FortiGate versions 7.4.5 and 7.6.0.
If the FortiGate version is earlier than these, consider upgrading to a newer version. N7Lite has not been applied with this improvement. | 
