Explorer II

Question

HA A-P Preemption Issue: LACP interface stuck in 'mondev down' after reboot until manual flap

Forum|Forum|1 month ago
May 7, 2026
2 replies
97 views

Hello everyone,

I am facing an issue with an HA Active-Passive setup using two FortiGate 120G devices (Firmware:7.6.6).

The Setup:

HA Mode: Active-Passive

Priority: FG1 (128) - intended Primary, FG2 (120) - intended Secondary.

HA Override: enable

Monitored Interfaces: ATC-LACP (802.3ad Aggregate interface connected to a core switch).

The Problem: When I reboot the Primary unit (FG1), failover happens correctly, and FG2 takes over. However, when FG1 finishes booting up, it does NOT preempt back to the Primary role. Running get system ha status shows that FG1 is stuck as Secondary with the following warning: WARNING: FG120GTKXXXXXXXX has mondev down;

The LACP interface on FG1 stays down. The only way to fix this and trigger preemption is to manually log into FG1 (which is currently the secondary) and flap the interface:

Plaintext

config system interface
edit "ATC-LACP"
set status down
set status up
next
end

Immediately after this manual flap, the LACP comes up, the mondev down warning disappears, and FG1 successfully preempts to become the Primary again.

What I have already tried: On the FortiGate side, I have configured the following on the LACP interface:

set lacp-speed fast

set link-up-delay 10000 (to give it 10 seconds after reboot)

set lacp-ha-secondary enable (to keep the interface active while secondary)

Despite these settings, the manual flap is still required after a reboot. The switch is currently using standard (slow) LACP timers, and I am waiting for the switch admin to change it to fast.

My Questions:

Is the switch's LACP rate (slow vs. fast mismatch) the sole reason the FortiGate's LACP interface fails to initialize automatically after a reboot?

Are there any other specific FortiOS CLI commands or best practices to ensure the LACP comes up automatically and triggers preemption without manual intervention?

Any advice or insights would be greatly appreciated!

Thanks in advance.

Toshi_Esumi

SuperUser

What I would do in your situation is:

check LACP status when “mondev down”
diag netlink aggregate list
diag netlink aggregate name [LAG_name]
check the physical port if any of them are down
diag hardware deviceinfo nic [port_name]
check any errors on ports
fnsysctl ifconfig [port_name]

If physical ports are down, the problem is more physical, not LACP. Then, regardless take look close any rx/tx errors/drops on each port. You need to check the same on the switch side.

If ports are clean and up while the LACP is down, that’s when I would suspect LACP settings on both sides.
And, if LACP config is “active” on both sides and looks fine, it’s time to suspect any software issues. The slow vs. fast settings wouldn’t impact operation on the opposite side.

Toshi

Liza1Author

Explorer II

FG-Primary # diag netlink aggregate name SATC-LACP
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: n
flush: n
asic helper: y
ports: 4
link-up-delay: 10000ms
min-links: 1
ha: backup
distribution algorithm: L4
LACP mode: active
LACP speed: fast
LACP HA: enable
aggregator ID: 1
actor key: 17
actor MAC address: b4:b2:e9:64:77:e0
partner key: 101
partner MAC address: 70:6e:6d:4d:25:00

member: port1
index: 0
link status: up
link failure count: 0
permanent MAC addr: b4:b2:e9:64:77:e0
LACP state: negotiating
LACPDUs RX/TX: 263/262
actor state: AFAIDD
actor port number/key/priority: 1 17 255
partner state: AFAODD
partner port number/key/priority: 267 101 32768
partner system: 32768 70:6e:6d:4d:25:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

member: port2
index: 1
link status: up
link failure count: 0
permanent MAC addr: b4:b2:e9:64:77:e1
LACP state: negotiating
LACPDUs RX/TX: 250/243
actor state: AFAIDD
actor port number/key/priority: 2 17 255
partner state: AFAODD
partner port number/key/priority: 268 101 32768
partner system: 32768 70:6e:6d:4d:25:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

member: port3
index: 2
link status: up
link failure count: 0
permanent MAC addr: b4:b2:e9:64:77:e2
LACP state: negotiating
LACPDUs RX/TX: 251/243
actor state: AFAIDD
actor port number/key/priority: 3 17 255
partner state: AFAODD
partner port number/key/priority: 269 101 32768
partner system: 32768 70:6e:6d:4d:25:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

member: port4
index: 3
link status: up
link failure count: 0
permanent MAC addr: b4:b2:e9:64:77:e3
LACP state: negotiating
LACPDUs RX/TX: 253/243
actor state: AFAIDD
actor port number/key/priority: 4 17 255
partner state: AFAODD
partner port number/key/priority: 270 101 32768
partner system: 32768 70:6e:6d:4d:25:00
aggregator ID: 1
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: ATTACHED 3

FG-Primary # diag hardware deviceinfo nic port1
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :0
oid :1
vid :2
macid :1
eif_id :0
promiscous :1
mtu :1500
netdev oid :1
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e0
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :1
rx_bytes :46
tx_pkts :282
tx_bytes :36228
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :282
Rx Bytes :34264
Tx Pkts :282
Tx Bytes :36228

FG-Primary # fnsysctl ifconfig port1
port1 Link encap:Ethernet HWaddr B4:B2:E9:64:77:E0
UP BROADCAST RUNNING NOARP PROMISC SLAVE MULTICAST MTU:1500 Metric:1
RX packets:288 errors:0 dropped:0 overruns:0 frame:0
TX packets:287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35008 (34.2 KB) TX bytes:36848 (35.10 KB)

FG-Primary # fnsysctl ifconfig port2
port2 Link encap:Ethernet HWaddr B4:B2:E9:64:77:E0
UP BROADCAST RUNNING NOARP PROMISC SLAVE MULTICAST MTU:1500 Metric:1
RX packets:293 errors:0 dropped:0 overruns:0 frame:0
TX packets:287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35628 (34.8 KB) TX bytes:36953 (36.1 KB)

FG-Primary # fnsysctl ifconfig port3
port3 Link encap:Ethernet HWaddr B4:B2:E9:64:77:E0
UP BROADCAST RUNNING NOARP PROMISC SLAVE MULTICAST MTU:1500 Metric:1
RX packets:295 errors:0 dropped:0 overruns:0 frame:0
TX packets:288 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35812 (34.10 KB) TX bytes:37077 (36.2 KB)

FG-Primary # fnsysctl ifconfig port4
port4 Link encap:Ethernet HWaddr B4:B2:E9:64:77:E0
UP BROADCAST RUNNING NOARP PROMISC SLAVE MULTICAST MTU:1500 Metric:1
RX packets:300 errors:0 dropped:0 overruns:0 frame:0
TX packets:290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:36368 (35.5 KB) TX bytes:37325 (36.5 KB)

FG-Primary # diag hardware deviceinfo nic port2
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :1
oid :2
vid :3
macid :2
eif_id :0
promiscous :1
mtu :1500
netdev oid :2
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e1
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :1
rx_bytes :46
tx_pkts :296
tx_bytes :38069
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :303
Rx Bytes :36804
Tx Pkts :295
Tx Bytes :37945

FG-Primary # diag hardware deviceinfo nic port3
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :2
oid :3
vid :4
macid :3
eif_id :0
promiscous :1
mtu :1500
netdev oid :3
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e2
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :2
rx_bytes :92
tx_pkts :298
tx_bytes :38317
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :306
Rx Bytes :37112
Tx Pkts :297
Tx Bytes :38193

FG-Primary # diag hardware deviceinfo nic port4
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :3
oid :4
vid :5
macid :4
eif_id :0
promiscous :1
mtu :1500
netdev oid :4
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e3
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :2
rx_bytes :92
tx_pkts :300
tx_bytes :38565
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :310
Rx Bytes :37608
Tx Pkts :300
Tx Bytes :38565

FG-Primary # diag hardware deviceinfo nic port4
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :3
oid :4
vid :5
macid :4
eif_id :0
promiscous :1
mtu :1500
netdev oid :4
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e3
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :2
rx_bytes :92
tx_pkts :376
tx_bytes :48199
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :386
Rx Bytes :46904
Tx Pkts :375
Tx Bytes :48075

FG-Primary # diag hardware deviceinfo nic port4
Description :FortiASIC NP7LITE Adapter
Driver Name :FortiASIC Unified NPU Driver
Name :np7lite_0
pid :3
oid :4
vid :5
macid :4
eif_id :0
promiscous :1
mtu :1500
netdev oid :4
dev-flags :1983
dev-promis :1
Current_HWaddr b4:b2:e9:64:77:e0
Permanent_HWaddr b4:b2:e9:64:77:e3
==== Default Link Settings =====
auto-nego :Enable
s_speed :1000
s_duplex :Full
==== Current Link Settings =====
auto-nego :Enable
s_status :Up
s_speed :1000
s_duplex :Full
==== Link Status ===============
Admin :Up
link_status :Up
Speed :1000
Duplex :Full
==== Netdev Status =============
dev_running :Yes
dev_carrier :On
==== Host Counters =============
rx_pkts :2
rx_bytes :92
tx_pkts :411
tx_bytes :52644
tx_drop :0
tx_e_busy :0
tx_e_noheadroom :0
tx_e_oid :0
tx_e_adapter :0
tx_e_pad :0
tx_e_other :0
==== Netdev Counters ===========
Rx Pkts :422
Rx Bytes :51304
Tx Pkts :410
Tx Bytes :52520

FG-Primary #

BillH_FTNT

Staff

Hi @Liza1

Please provide the output referenced in Toshi’s comment below, as it would be useful for verifying the LACP and interface status.

Additionally, could you share the system and event logs related to the LACP interfaces? Do the interfaces frequently flap, or do they only go down when the Active Gate transitions to the secondary role?

THanks

Bill

Liza1Author

Explorer II

Hi Toshi,

Thank you for the excellent troubleshooting steps!

I ran these commands on the affected unit (FG1, Priority 128) right after a reboot, while it was stuck in the mondev down state and before doing any manual interface flaps.

I write in the Tosh’s reply output as you requested. I reproduced the issue (rebooted FG1) and gathered these logs right while it was stuck in the mondev down state, before doing any manual flaps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded