FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjhwang
Staff
Staff
Description
[Topology or network layout]

FGT-Ue_L3
(Agg)
(.1)
||
45.45.45.0/24
||
(.2)
(Untrust)
FGT200B
(Port15)
(.1)
|
46.46.46/0/24
|
(.158)
PC

- "Untrust" is an aggregate interface based on port13 and port14.
- pc1 sends ping packet to FGT-Ue_L3(45.45.45.1).

1. PC sends ping packet to FGT-Ue_L3(45.45.45.1)

FG200B3910601566 # diag netlink aggregate name untrust
status: up
npu: y
oid: 1
ports: 2
distribution algorithm: L4
LACP mode: static

slave: port13
  link status: up
  link failure count: 0
  permanent MAC addr: 00:09:0f:d1:58:3b

slave: port14
  link status: up
  link failure count: 0
  permanent MAC addr: 00:09:0f:d1:58:3c

2. We know that packet go over port14 by using below command.

FG200B3910601566 # diag netlink aggregate port untrust dst-ip 45.45.45.1 src-ip 46.46.46.158
port port14

3.Cable on Port14 of FGT200B is unplugged.

FG200B3910601566 # diag netlink aggregate name untrust
status: up
npu: y
oid: 0
ports: 2
distribution algorithm: L4
LACP mode: static

slave: port13
  link status: up
  link failure count: 0
  permanent MAC addr: 00:09:0f:d1:58:3b

slave: port14
  link status: down
  link failure count: 1
  permanent MAC addr: 00:09:0f:d1:58:3c

4. We know that packet go over port13 by using below command.

FG200B3910601566 # diag netlink aggregate port untrust dst-ip 45.45.45.1 src-ip  46.46.46.158
port port13

Solution
We can know which port is used among multiple physical ports on LAG by using diag netlink aggregate port untrust dst-ip a.a.a.a src-ip b.b.b.b

a.a.a.a -> dst address, b.b.b.b -> src address

Contributors