Skip to main content
upatel
Staff
upatel
Staff
May 14, 2026

Troubleshooting Tip: LACP issue between FortiGate and Cisco Switch

  • May 14, 2026
  • 0 replies
  • 278 views

Description

This article describes the troubleshooting steps for a FortiGate LAG interface that is down when connected to a Cisco switch. The user may experience issues with the LAG interface going down intermittently, and the physical ports being up on both the FortiGate and the Cisco switch.

Scope

FortiGate.

Solution

To troubleshoot the issue, follow these steps:


  1. Verify the LACP mode on both the FortiGate and the Cisco switch. Ensure that the LACP mode is set to active on both devices.


config system interface
    edit <aggregate_port>
        set lacp-mode active
    next
end


  1. Verify the aggregate interface status to check for the Actor/Partner states with the command "diagnose netlink aggregate name <aggregate_port>"

  2. Run the command 'diagnose sniffer packet <leg interface> "ether proto 0X8809" 4 0 a' on the FortiGate to capture LACP packets.

  1. Verify the output of the command to ensure that the FortiGate is sending and receiving LACP packets.


vpn1 (VPN) # diagnose sniffer packet any "ether proto 0X8809" 4 0 a
interfaces=[any]
filters=[ether proto 0X8809]
2026-04-15 15:41:56.527039 port19 in 802.3ad LACPDU (32768,4C-BC-48-98-41-00,0125,32768,0290) ASAIEE (0000,00-00-00-00-00-00,0000,0000,0000) PSIODD


In every incoming packet (e.g., port19 in), the Partner Information field is all zeroes: (0000,00-00-00-00-00-00,0000,0000,0000). This means the switch is receiving the FortiGate's packets but is failing to process them. It does not recognize the FortiGate as its partner.


The switch is sending the PSIODD flag.

  • P (Passive): The switch is waiting for the other side to talk.

  • S (Short Timeout): The switch wants fast heartbeats. <-- FortiGate is set to slow (via 'set lacp-speed slow').

  • I (Individual): The switch has orphaned these ports. It is not trying to bundle them into an aggregate.

  • D/D (Discarding): The switch is blocking all traffic on these ports because the LACP handshake has not finished.

2026-04-15 15:41:56.690619 port19 out 802.3ad LACPDU (65535,B4-B2-E9-03-BA-C8,0017,0255,0001) ASAIDD (32768,4C-BC-48-98-41-00,0125,32768,0290) ASAOEE


  • FortiGate is Ready (ASAIDD): FortiGate is sending ASAIDD. It is Active, Short Timeout, and Aggregatable, but it is Discarding because the switch is telling it that it cannot be identified (the zeros).


Recommended fixes:

  • On the Switch: Ensure channel-group X mode active is configured on both member ports.

  • On the Switch: Check for any 'lacp suspend-individual' settings or spanning-tree inconsistencies that might be keeping the ports in an 'Individual' state.

  • On the FortiGate: The configuration is currently set lacp-speed slow, but the switch is requesting Short Timeout (the S in ASAIEE). Change the FortiGate to match:

  1. If the issue persists, try disabling auto-negotiation on the FortiGate and Cisco switch, and manually set the speed and duplex settings.

    Terms & ConditionsAccessibility statement