Skip to main content
cornmw
cornmw
Visitor III
October 13, 2025
Solved

Best practice for LACP between Fortigate HA and Aruba VSX

  • October 13, 2025
  • 1 reply
  • 2907 views

Hi,

I am trying to connect a pair of Fortigate HA in A-P mode to 2 Aruba Core switches and wondering what the best practice is.  

The Aruba switches are working in VSX mode.  Let's call them CS1 and CS2.  The connection will be like the following:

CS1 port11 -> FG1 port 11

CS1 port21 -> FG2 port 11

CS2 port11 -> FG1 port 12

CS2 Port21 -> FG2 port 12

With VSX when connecting switches I can just put all 4 links in 1 LACP lag and it works fine. Now with interconnection between the Aruba switches and the Fortigate HA I am trying to find out what is the best option?  

1. To put all 4 links in 1 multi-chassis lag on the Aruba side  and set lacp-ha-disable enable on the Fortigate side

2. create 2 lags on the Aruba side, 1 lag to FG1 and another lag to FG2.

What is the best practice here in terms of stability and failover time?

 

Thanks,

 

 

Best answer by AlexC-FTNT

Hi! 
The recommendations are the same for all other vendors:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Aggregate-link-configuration-topologies-in-a-High/ta-p/200980

 

1 LAG in switch and set lacp-ha-secondary disable -- will increase failover time (up to 4min)

 

1 reply

AlexC-FTNT
Staff
AlexC-FTNTAnswer
Staff
October 13, 2025

Hi! 
The recommendations are the same for all other vendors:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Aggregate-link-configuration-topologies-in-a-High/ta-p/200980

 

1 LAG in switch and set lacp-ha-secondary disable -- will increase failover time (up to 4min)

 

    cornmw
    cornmwAuthor
    Visitor III
    October 13, 2025

    Thanks Alex. one thing I'd like to clarify is for the last scenario in the documentation it says "LACP will not form or only one port will be in agg".  I tested it before and actually 2 ports to the active FG1 are up and the other 2 ports to the passive FG2 are in "Blocked" state.  set lacp-ha-secondary was in its default setting.  I am just wondering if this behavior on the Core switches can actually avoid increasing the failover time? Just want to find out why the switch behave like this. In production i will use 2 separate lags. 

    AlexC-FTNT
    Staff
    AlexC-FTNT
    Staff
    October 14, 2025

    I'm not sure what feature exactly puts the ports in blocked state, I would expect the STP to do that. In which case, to bring the ports up it would still take 50-60s to cycle through the STP states and bring the ports up (only if the other ports are down or FG rebooted or link failed signal enabled - otherwise they may still be elected root ports and network to remain without internet traffic).

    Terms & ConditionsAccessibility statement