Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note: Explanation of 'min-links' and 'li...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Scope
Solution
2. Same example, f1-1 is currently down, but min-links 2:
The LAG is down:
HA status (from “diag sys ha status”):
This article explains the “min-links” and “link-failure-threshold” behavior in HA.
Scope
FortiController v5.2
Solution
“min-links” is used to indicate if the LACP trunk can be up.
It can be configured per LAG:
min-links 0 : means disabled (default), the LAG will be up as long as at least 1 LACP member is up.
min-links 2 : LAG will be up if at least 2 LACP members are up. However, with default “link-failure-threshold”, the number of “dead” members will be reported to the HA as bad-score so it may trigger a failover even though the LAG is still up.
1. In this example, there are 2 LAGs with 2 members, min-links 1. f1-1 is currently down:
The LAG is still up:
HA status (from “diag sys ha status”):
It can be configured per LAG:
min-links 0 : means disabled (default), the LAG will be up as long as at least 1 LACP member is up.
min-links 2 : LAG will be up if at least 2 LACP members are up. However, with default “link-failure-threshold”, the number of “dead” members will be reported to the HA as bad-score so it may trigger a failover even though the LAG is still up.
1. In this example, there are 2 LAGs with 2 members, min-links 1. f1-1 is currently down:
config switch fabric-channel trunk
edit "LAG-OUT"
set mode lacp-active
set min-links 1
set members "f1-1" "f1-2"
next
FT-A-1 # diag switch fabric-channel trunk list LAG-OUT
Switch Trunk Information, fabric-Channel
Trunk Name: LAG-OUT
Port Selection Algorithm: src-dst-ip
Minimum Links: 1
Active Port Update Time
___________ ____________________
f1-2 10:32:11 Jun-01-2017
Non-Active Port Status
_______________ ____________________
f1-1 BLOCK
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
status: up
Live links: 1
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 2
actor key: 33
actor MAC address: 90:6c:ac:a0:52:2a
partner key: 33
partner MAC address: 90:6c:ac:6d:d9:c6
slave: f1-1
status: down
link failure count: 2
permanent MAC addr: 90:6c:ac:a0:52:2a
actor state: ASAIDD
partner state: PSIODD
aggregator ID: 1
slave: f1-2
status: up
link failure count: 1
permanent MAC addr: 90:6c:ac:a0:52:2c
actor state: ASAIEE
partner state: ASAIEE
aggregator ID: 2
HA status (from “diag sys ha status”):
state: gateway_die=0, worker_failure=0/2, lag=(total/good/down/bad-score)=2/1/0/1,
2. Same example, f1-1 is currently down, but min-links 2:
The LAG is down:
FT-A-1 # diag switch fabric-channel trunk list LAG-OUT
Switch Trunk Information, fabric-Channel
Trunk Name: LAG-OUT
Port Selection Algorithm: UNKNOWN
Minimum Links: 2
Active Port Update Time
___________ ____________________
Non-Active Port Status
_______________ ____________________
f1-1 BLOCK
f1-2 BLOCK
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
status: down (No aggregation due to minimum links not met)
Live links: 1
ports: 2
LACP mode: active
LACP speed: slow
aggregator ID: 1
actor key: 0
actor MAC address: 90:6c:ac:a0:52:2a
partner key: 1
partner MAC address: 00:00:00:00:00:00
slave: f1-1
status: down
link failure count: 3
permanent MAC addr: 90:6c:ac:a0:52:2a
actor state: ASAODD
partner state: PSIODD
aggregator ID: 1
slave: f1-2
status: down
link failure count: 2
permanent MAC addr: 90:6c:ac:a0:52:2c
actor state: ASAODD
partner state: PSIODD
aggregator ID: 2
HA status (from “diag sys ha status”):
state: gateway_die=0, worker_failure=0/2, lag=(total/good/down/bad-score)=2/1/1/0,
“link-failure-threshold” is a HA setting. When the number of bad members of a trunk is above this threshold, the trunk will be marked with "bad-score" therefore a failover may be triggered.
1. In this example, there are 2 LAGs with 2 members, min-links 1 & link-failure-threshold 0 (default setting). f1-1 member is currently down but the LAG is still up (because of min-links 1) however it is marked as bad-score, hence Failover is triggered:
HA status:
2. Same example but link-failure-threshold 1. The LAG is still up and it is not marked as bad-score, hence failover is not triggered :
HA status:
1. In this example, there are 2 LAGs with 2 members, min-links 1 & link-failure-threshold 0 (default setting). f1-1 member is currently down but the LAG is still up (because of min-links 1) however it is marked as bad-score, hence Failover is triggered:
config system ha
set link-failure-threshold 0
end
state: gateway_die=0, worker_failure=0/2, lag=(total/good/down/bad-score)=2/1/0/1,
2. Same example but link-failure-threshold 1. The LAG is still up and it is not marked as bad-score, hence failover is not triggered :
config system ha
set link-failure-threshold 1
end
state: gateway_die=0, worker_failure=0/2, lag=(total/good/down/bad-score)=2/2/0/0,
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.