Skip to main content
IsmaTIC
IsmaTIC
New Member
October 5, 2022
Question

Connectivity problem in scenario FGT200F HA(A-P) and Nexus 3548

  • October 5, 2022
  • 1 reply
  • 1554 views

Hello! I am not able to do a single ping to any of the VLANs on the trunk even when everything is up. need help.
The goal is to maintain a trunk to L2.
Each Fortigate has its own port-channel. LACP A-P.

 

Attached representative physical diagram.

IsmaTIC_0-1664967482480.png

Attached representative logic diagram; 1 Trunk for 5 vlans with a gw each.

IsmaTIC_4-1664970624345.png

 

 

Nexus config...

SWT01SWT02
interface Ethernet1/21
description FGT01-X1
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 40 mode passive
no shutdown		interface Ethernet1/21
description FGT01-X2
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 40 mode passive
no shutdown
interface Ethernet1/22
description FGT02-X1
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 50 mode active
no shutdown		interface Ethernet1/22
description FGT02-X2
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 50 mode active
no shutdown
interface port-channel40
speed 10000
description VPC Trunk to FGT01
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 40
interface port-channel40
speed 10000
description VPC Trunk to FGT01
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 40
interface port-channel50
speed 10000
description VPC Trunk to FGT02
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 50

interface port-channel50
speed 10000
description VPC Trunk to FGT02
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 50

 show port-channel summary

IsmaTIC_2-1664969563793.png

All UP (interfaces, portchannel,vPC)

show port-channel summary
IsmaTIC_1-1664969504013.png

All UP (interfaces, portchannel,vPC)

 

 

 

Fortigates

FGTAE_HA1 # show system interface LAN
config system interface
edit "LAN"
set vdom "root"
set allowaccess ping https http
set type aggregate
set member "x1" "x2"
set device-identification enable
set lldp-transmission enable
set monitor-bandwidth enable
set role lan
set snmp-index 39
next
end

FGTAE_HA1 # show system interface x1
config system interface
edit "x1"
set vdom "root"
set type physical
set snmp-index 11
next
end

FGTAE_HA1 # show system interface x2
config system interface
edit "x2"
set vdom "root"
set type physical
set snmp-index 12
next
end

 

Any ideas?

 

1 reply

jintrah_FTNT
Staff
jintrah_FTNT
Staff
October 5, 2022

hi,

Vlan interfaces on FortiGate 'LAN' interface is the gateway for the vlans? Ping is from which source to which destination? Could you post the output of #diag netlink aggregate name LAN from *both* FortiGates?

 

Best regards,

Jin

IsmaTIC
IsmaTICAuthor
New Member
October 5, 2022

LAN is the trunk that contains the gw of each vlan.

IsmaTIC_1-1664978743167.png

FGT to host (vlan100) > No ping

Host to FGT(100.252) > No ping

 

something more direct:

Nexus(99.190) to FGT(99.252) > No ping

FGT(99.252) to Nexus(99.190)> No ping

 

"diagnose netlink aggregate name LAN" the second is a passive slave

FGTAE_HA1 # diagnose netlink aggregate name LAN
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: up
npu: y
flush: n
asic helper: y
oid: 89
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 2
actor key: 33
actor MAC address: ac:71:2e:87:b8:1a
partner key: 32808
partner MAC address: 00:23:04:ee:be:01

member: x1
index: 0
link status: up
link failure count: 4
permanent MAC addr: ac:71:2e:87:b8:1a
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 1 33 255
partner state: PSAIEE
partner port number/key/priority: 277 32808 32768
partner system: 8192 00:23:04:ee:be:01
aggregator ID: 2
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: x2
index: 1
link status: up
link failure count: 1
permanent MAC addr: ac:71:2e:87:b8:1b
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 2 33 255
partner state: PSAIEE
partner port number/key/priority: 16661 32808 32768
partner system: 8192 00:23:04:ee:be:01
aggregator ID: 2
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

 

Thanks

gfleming
Staff
gfleming
Staff
October 5, 2022

Do you have two vPC domains? Why are you using VPC 40 and VPC 50?

 

Can you show us the Nexus config for your VPC domain(s)? As well as your vPC Peer Link config.

Terms & ConditionsAccessibility statement