802.3ad Aggregation Link Is Up But Won't Respond

Question

Fortigate LACP Question.png

We have two WAN links from two different ISPs coming into our active/passive HA pair of FortiGate 300Es running v7.4.7 build2731 (Mature).

Currently there is no aggregation or load balancing in place. They are just two separate circuits, and one isn't really being utilized much day to day.

In an effort to improve that, I am working toward implementing SD-WAN on the FortiGates. To minimize downtime, I am setting up new links for the SD-WAN zone on unused ports.

We only have one port available from the ISP router at present, so have to run through a layer 2 switch in order to provide service to both FortiGates. The plan is to replace the single switch with a stacked pair to eliminate that switch as a single point of failure. While waiting for the stacked switches to be available, I've set things up as shown in the attached diagram so I can continue getting things prepared.

However, the 802.3ad agg link I created on the FortiGate doesn't seem to be working as it isn't pingable even from the layer 2 switch that is directly connected.

The config for the agg link on the FortiGate is:

config system interface
edit "LUMEN_ISP_AGG"
set vdom "root"
set ip 216.248.xxx.108 255.255.255.240
set allowaccess ping
set type aggregate
set member "port5" "port7"
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 1000
set role wan
set snmp-index 82
set ip-managed-by-fortiipam disable
next
end

Running "diag netlink aggregate name LUMEN_ISP_AGG" on the FortiGate gives me the following.

HA1-300E (root) # diag netlink aggregate name LUMEN_ISP_AGG
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: up
npu: y
flush: n
asic helper: y
oid: 216
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 4
actor key: 17
actor MAC address: e8:1c:ba:e5:a2:fc
partner key: 2
partner MAC address: f0:25:72:fd:91:00

member: port5
index: 0
link status: up
link failure count: 0
permanent MAC addr: e8:1c:ba:e5:a2:fc
LACP state: established
LACPDUs RX/TX: 1838/1683
actor state: ASAIEE
actor port number/key/priority: 1 17 255
partner state: ASAIEE
partner port number/key/priority: 262 2 32768
partner system: 32768 f0:25:72:fd:91:00
aggregator ID: 4
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: port7
index: 1
link status: up
link failure count: 0
permanent MAC addr: e8:1c:ba:e5:a2:fe
LACP state: established
LACPDUs RX/TX: 1840/1683
actor state: ASAIEE
actor port number/key/priority: 2 17 255
partner state: ASAIEE
partner port number/key/priority: 263 2 32768
partner system: 32768 f0:25:72:fd:91:00
aggregator ID: 4
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

and running a packet sniff shows LACPDUs

HA1-300E (root) # diag sniffer packet LUMEN_ISP_AGG "ether proto 0x8809" 6 0 a
interfaces=[LUMEN_ISP_AGG]
filters=[ether proto 0x8809]
2025-04-15 16:56:33.989204 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0263) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0002) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9106 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0107 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0002 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

2025-04-15 16:56:46.586739 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0262) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0001) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9105 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0106 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0001 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

2025-04-15 16:57:01.750867 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0263) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0002) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9106 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0107 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0002 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

but that's as far as I'm getting at this point.

Toshi_Esumi · Answer

You showed LAG/LACP is perfectly fine on the FGT side. Just make sure the Catalyst sees the same with "show lacp" commands.

I think the problem is Catalyst's switching to connect L2 between the FGT's LAG port to the Cisco 2901 port. Since you configured the IP on the LAG itself, it's untagged interface. Check both sides on the switch is on the same VLAN (likely VLAN1). Then hook up a laptop or something to another port and assign the same or another IP in the /28 subnet, then test toward both ends. Also you can set up a mirror port to sniff between two ends. But I don't think it's not necessary. Likely a simple misconfig at the switch.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded