|
The basic troubleshooting commands for LACP are as below:
diagnose netlink aggregate name your_aggregate_link
diagnose hardware deviceinfo nic <all_interface_in_your_aggregation>
diagnose sniff packet your_aggregate_link " " 6 0 l
Find more detailed information about this command and how to identify the status of the link through this related KB article: Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad).
Upon identifying that the LACP link is down while the attached physical ports are up, do the following.
- Check that the parameters below match on both ends.
- LACP Mode:
- Active Mode: The device initiates LACP negotiation by sending LACP packets.
- Passive Mode: The device responds to LACP packets but does not initiate them.
Ensure that one end is set to Active mode, or both ends can be in Active mode. If both ends are in Passive mode, the link will not come up, as neither side will initiate LACP packets.
- Speed and Duplex Settings: Both devices must have matching speeds (e.g., 1 Gbps, 10 Gbps) and duplex settings (full duplex). Mismatched speed or duplex settings can cause the link to fail or have flaps.
- Port Configuration: All physical interfaces that are part of the LACP group must be configured consistently. This includes:
- VLAN settings.
- STP (Spanning Tree Protocol) settings.
- Port security settings.
- Ensure that these settings are identical across all aggregated ports.
- LACP System Priority: This is a numerical value used to determine which device should be the controlling system in the LACP negotiation. While not always necessary, having mismatched priorities can affect which device takes precedence in LACP negotiations.
- LACP Port Priority: Each port in the LACP group has a port priority value. Matching these values is important for determining which ports will be active in the case of a link failure.
- LACP Timeout: LACP has two timeout values: short (1 second) and long (30 seconds). Both devices should use the same timeout value to ensure timely detection of link failures.
- Number of Links: The number of physical links aggregated must match on both devices. If one device has more links configured for LACP than the other, the additional links will not be used.
- Hash Algorithm: LACP uses a hash algorithm to determine how traffic is distributed across the aggregated links. Ensure that both devices use compatible hash algorithms to prevent issues with traffic distribution. Common hash algorithms include:
- Source MAC address.
- Destination MAC address.
- Source and destination MAC address.
Below is the configuration from the FortiGate LACP, which matches the above. Even though they are not an exact match, it is possible to check them with the 3rd-party device LACP configuration:
edit "TEST LACP"
set vlanforward disable <----- Point #1.3
set stpforward disable <----- Point #1.3.
set security-mode none <----- Point #1.3
set priority 1 <----- Point #1.4.
set idle-timeout 0 <----- Point #1.6.
set lacp-mode active <----- Point #1.1.
set system-id-type auto <----- Point #1.5.
set lacp-speed slow <----- Point #1.2.
set min-links 1 <----- Point #1.7.
set min-links-down operational <----- Point #1.7.
set algorithm L4 <----- Point #1.8.
next
If the above parameters match and still 'diag netlink aggregate name your_aggregate_link' shows status is down, use the commands below, and the output should look like below:
diagnose sniffer packet any "ether proto 0X8809" 4 0 l
If the 2 devices are properly communicating, see the MAC address of both sides on LACPDU messages, which are covered in Blue. See ASAIEE in relevant ports and the LACP port, which is LACP-2 (In this example) is communicating.
Note: For further information, use 'diagnose sniffer packet any "ether proto 0X8809" 6 0 a' and send it to TAC to convert it to a PCAP file.
The sniffer will run indefinitely until it is stopped. To stop the sniffer after use, press Ctrl + C.
The command below can also be used where the LACPDUs are moving between the relevant ports:
diagnose sniffer packet your_aggregate_link
Note: In the cases where no output from the above commands is visible or only the FortiGate LACP link is sending the LACPDU packets, turn on and off the LACP link of the other side to make it work again.
The example below shows a snippet of Wireshark packet capture data of the LACP packet, indicating that the peers have successfully negotiated LACP.
Frame 142: 124 bytes on wire (992 bits), 124 bytes captured (992 bits)
Ethernet II, Src: CiscoMeraki_xx:xx:xx (6c:c3:b2:xx:xx:xx), Dst: Slow-Protocols (yy:yy:yy:yy:yy:yy)
Link Aggregation Control Protocol
LACP Version: 0x01
TLV Type: Actor Information (0x01)
TLV Length: 0x14
Actor System Priority: 32768
Actor System ID: CiscoMeraki_xx:xx:xx (xx:xx:xx:xx:xx:xx)
Actor Key: 20225
Actor Port Priority: 3072
Actor Port: 562
Actor State: 0x3d, LACP Activity, Aggregation, Synchronization, Collecting, Distributing
.... ...1 = LACP Activity: Active
.... ..0. = LACP Timeout: Long Timeout
.... .1.. = Aggregation: Aggregatable
.... 1... = Synchronization: In Sync
...1 .... = Collecting: Enabled
..1. .... = Distributing: Enabled
.0.. .... = Defaulted: No
0... .... = Expired: No
[Actor State Flags: **DCSG*A]
Reserved: 000000
TLV Type: Partner Information (0x02)
TLV Length: 0x14
Partner System Priority: 32768
Partner System: Fortinet_yy:yy:yy (yy:yy:yy:yy:yy:yy)
Partner Key: 33
Partner Port Priority: 3072
Partner Port: 2
Partner State: 0x3d, LACP Activity, Aggregation, Synchronization, Collecting, Distributing
.... ...1 = LACP Activity: Active
.... ..0. = LACP Timeout: Long Timeout
.... .1.. = Aggregation: Aggregatable
.... 1... = Synchronization: In Sync
...1 .... = Collecting: Enabled
..1. .... = Distributing: Enabled
.0.. .... = Defaulted: No
0... .... = Expired: No
[Partner State Flags: **DCSG*A]
***
- Both Actor and Partner States show Synchronization is In Sync.
- Actor State Collecting and Distributing are shown as both Enabled.
- Partner State Collecting and Distributing are both Enabled.
These indications show that both peers are ready to receive and transmit data.
|
