New Member

Question

Fortigate to Cisco Switch issue

Forum|Forum|1 year ago
December 6, 2024
9 replies
4683 views

When connecting the Fortigate to the Cisco switch, I noticed that the LAG port on the Fortigate is consistently down.Do you know how to resolve this issue? Thank you.

Below are the Fortigate details

config system interface
edit "to-Cisco"
set vdom "root"
set ip 192.168.192.2 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "port5" "port6"
set device-identification enable
set device-user-identification disable
set role lan
set snmp-index 12
next
end
diag netlink aggregate list
List of 802.3ad link aggregation interfaces:
1 name fortilink status down algorithm L4 lacp-mode active
2 name to-Cisco status down algorithm L4 lacp-mode active

diag netlink interface list to-Cisco

if=to-Cisco family=00 type=1 index=19 mtu=1500 link=0 master=0
ref=21 state=start present no_carrier fw_flags=8800 flags=up broadcast master multicast
Qdisc=noqueue hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=92092 txp=5264 rxb=24443268 txb=635935 rxe=0 txe=0 rxd=0 txd=0 mc=92092 collision=0 @ time=1733488413
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=7 arp_entry=0 refcnt=21

the Cisco information

interface Port-channel1
description to-Fortigate
switchport trunk native vlan 192
switchport mode trunk

interface GigabitEthernet1/0/23
switchport trunk native vlan 192
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active

interface GigabitEthernet1/0/24
switchport trunk native vlan 192
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface Vlan192
ip address 192.168.192.1 255.255.255.0

Fortigate-VM

funkylicious

SuperUser

Hi,

Can you run on the switch side,

show etherchannel 1 port-channel

"jack of all trades, master of none"

52000ccAuthor

New Member

here is the information:
show etherchannel 1 port-channel
Port-channels in the group:
---------------------------

Port-channel: Po1 (Primary Aggregator)

------------

Age of the Port-channel = 0d:06h:24m:18s
Logical slot/port = 5/1 Number of ports = 0
HotStandBy port = null
Port state = Port-channel Ag-Not-Inuse
Protocol = LACP
Port security = Disabled

funkylicious

SuperUser

I would of expected to see Eth1/0/23 and /24 in that output...

Can you try deleting the fortilink LAG created by default on the FGT and see if it changes status ?

"jack of all trades, master of none"

52000ccAuthor

New Member

here is Eth1/0/23 and /24 output; after deleting default fortilink seems status still down
GigabitEthernet1/0/24 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 189b.5b97.9918 (bia 189b.5b97.9918)
MTU 9198 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 14000 bits/sec, 7 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
46326 packets output, 8720346 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet1/0/23 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 189b.5b97.9917 (bia 189b.5b97.9917)
MTU 9198 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 14000 bits/sec, 7 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
46319 packets output, 8713914 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

funkylicious

SuperUser

I can see that jumbo mtu is configured on the Cisco side on port Gi1/0/24. Can you confirm that it also the case for Gi1/0/23 and for port5 and port6 on the FortiGate side ?

You can check on the FGT side with, diag netlink interface list <NIC name>

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-the-MTU-value-of-an-aggregate-interface/ta-p/331493

"jack of all trades, master of none"

52000ccAuthor

New Member

looks like I cannot change the interface's mtu
(port5) # set
*vdom Interface is in this virtual domain (VDOM).
distance Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.
priority Priority of learned routes.
dhcp-relay-source-ip IP address used by the DHCP relay as its source IP.
dhcp-relay-circuit-id DHCP relay circuit ID.
dhcp-classless-route-addition Enable/disable addition of classless static routes retrieved from DHCP server.
dhcp-client-identifier DHCP client identifier.
dhcp-renew-time DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.
dns-server-override Enable/disable use DNS acquired by DHCP or PPPoE.
dns-server-protocol DNS transport protocols.
macaddr Change the interface's MAC address.
speed Interface speed. The default setting and the options available depend on the interface hardware.
status Bring the interface up or shut the interface down.
type Interface type.
ring-rx RX ring size.
ring-tx TX ring size.
netflow-sample-rate NetFlow sample rate. Sample one packet every configured number of packets
(1 - 65535, default = 1, which means standard NetFlow where all packets are sampled).
src-check Enable/disable source IP check.
description Description.
alias Alias will be displayed with the interface name to make it easier to distinguish.
ike-saml-server Configure IKE authentication SAML server.
estimated-upstream-bandwidth Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.
estimated-downstream-bandwidth Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.
measured-upstream-bandwidth Measured upstream bandwidth (kbps).
measured-downstream-bandwidth Measured downstream bandwidth (kbps).
bandwidth-measure-time Bandwidth measure time.
monitor-bandwidth Enable monitoring bandwidth on this interface.
role Interface role.
snmp-index Permanent SNMP Index of the interface.
preserve-session-route Enable/disable preservation of session route when dirty.
ap-discover Enable/disable automatic registration of unknown FortiAP devices.
switch-controller-mgmt-vlan VLAN to use for FortiLink management purposes.
switch-controller-igmp-snooping-proxy Switch controller IGMP snooping proxy.
switch-controller-igmp-snooping-fast-leave Switch controller IGMP snooping fast-leave.
swc-first-create Initial create for switch-controller VLANs.
eap-supplicant Enable/disable EAP-Supplicant.

52000ccAuthor

New Member

diag netlink interface list port5 port6

if=port5 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=75 state=start present fw_flags=0 flags=up broadcast run noarp slave multicast
Qdisc=mq hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=5473 txp=3944 rxb=798264 txb=480667 rxe=0 txe=0 rxd=0 txd=0 mc=5473 collision=0 @ time=1733527008
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=75

if=port6 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=75 state=start present fw_flags=0 flags=up broadcast run noarp slave multicast
Qdisc=mq hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=107157 txp=3937 rxb=24954296 txb=479776 rxe=0 txe=0 rxd=0 txd=0 mc=107157 collision=0 @ time=1733527008
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=75

dingjerry_FTNT

Staff

Hi @52000cc ,

Could you please run this CLI command?

diag netlink aggregate name to-Cisco

52000ccAuthor

New Member

diag netlink aggregate name to-Cisco
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: n
flush: n
asic helper: y
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 3
actor key: 17
actor MAC address: 00:15:5d:bd:9a:08
partner key: 1
partner MAC address: 00:00:00:00:00:00

member: port5
index: 0
link status: up
link failure count: 0
permanent MAC addr: 00:15:5d:bd:9a:08
LACP state: negotiating
LACPDUs RX/TX: 0/353
actor state: ASAIDD
actor port number/key/priority: 1 17 255
partner state: ASIODD
partner port number/key/priority: 1 1 255
partner system: 65535 00:00:00:00:00:00
aggregator ID: 3
speed/duplex: 1000 1
RX state: DEFAULTED 5
MUX state: ATTACHED 3

dingjerry_FTNT

Staff

Hi @52000cc ,

actor state: ASAIDD
actor port number/key/priority: 1 17 255
partner state: ASIODD
partner port number/key/priority: 1 1 255

The third letter indicated whether it is an aggregate or individual interface or not. Apparently, FGT is 'A', it means it is an aggregate interface (LACP)

Partner (Cisco switch) is 'I', this is the info FGT received from Cisco switch.

That indicated that there was something wrong with the Cisco switch. Please check it over there.

52000ccAuthor

New Member

I just remove all the lacp related conf and do again, found the port6 cannot be set as the memeber;

edit to-Cisco

set member port5 port6
node_check_object fail! for interface-name port6

value parse error before 'port6'
Command fail. Return code -651

re run the command again

diag netlink aggregate name to-Cisco
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: n
flush: n
asic helper: y
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: 00:15:5d:bd:9a:08
partner key: 1
partner MAC address: 00:00:00:00:00:00

member: port5
index: 0
link status: up
link failure count: 0
permanent MAC addr: 00:15:5d:bd:9a:08
LACP state: negotiating
LACPDUs RX/TX: 0/8
actor state: ASAIDD
actor port number/key/priority: 1 17 255
partner state: ASIODD
partner port number/key/priority: 1 1 255
partner system: 65535 00:00:00:00:00:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: DEFAULTED 5
MUX state: ATTACHED 3

dingjerry_FTNT

Staff

Hi @52000cc ,

Please run this command to see where the port6 is used:

diagnose sys cmdb refcnt show system.interface.name port6

52000ccAuthor

New Member

here is the result
diagnose sys cmdb refcnt show system.interface.name port6
entry used in table firewall.on-demand-sniffer:name 'port6_root' entry interface 'port6' (From VDOM: 'root')

Toshi_Esumi

SuperUser

I would suggest, at this moment, you try focusing on bringing up LACP between them with one port first. Then, only after that adding the second port on both sides.

I'm assuming Cisco GigabitEthernet1/0/23 is connected to FGT port5. So putting only that port to the LACP then check "diag netlink aggregate name <name>" on FGT and "show lacp (? depending on the type of Cisco SW)" commands on Cisco side.
If one port doesn't work, two ports would never work.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded