Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎07-15-2024 09:54 PM Edited on ‎07-15-2024 09:58 PM By Community Manager

Article Id 325942

Technical TIP : Understanding outputs of LACP related debug commands and what parameters need to match in LACP neighbors to make the link UP

Description

This article describes that LACP (Link Aggregation Control Protocol) in FortiGate is a network protocol used to combine multiple physical links into a single logical link to increase bandwidth and provide redundancy.

This process is known as link aggregation or port bundling. When FortiGate is involved in LACP it is mainly a link with a switch and this switch can be a Forti Switch or a third-party switch.

 

Related document:

https://help.fortinet.com/fadc/4-0-2/html-e/Content/Quick_Start/Link_Aggregation.htm
Scope

FortiGate.
Solution

The basic troubleshooting command for LACP is as below:

 

diag netlink aggregate name FGT_aggregate_link

 

Find more detailed information about this command and how to identify the status of the link through this related  KB article:

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

 

Upon identifying the LACP link is down while the attached physical ports are up, do the following.

 

  1. Check the below parameters are matching on both ends.
  • LACP Mode:
    • Active Mode: The device initiates LACP negotiation by sending LACP packets.
    • Passive Mode: The device responds to LACP packets but does not initiate them.

Ensure that one end is set to Active mode, or both ends can be in Active mode. If both ends are in Passive mode, the link will not come up as neither side will initiate LACP packets.

 

  • Speed and Duplex Settings: Both devices must have matching speeds (e.g., 1 Gbps, 10 Gbps) and duplex settings (full duplex). Mismatched speed or duplex settings can cause the link to fail or have flaps.

 

  • Port Configuration: All physical interfaces that are part of the LACP group must be configured consistently. This includes:
    • VLAN settings.
    • STP (Spanning Tree Protocol) settings.
    • Port security settings.
    • Ensure that these settings are identical across all aggregated ports.

 

  • LACP System Priority: This is a numerical value used to determine which device should be the controlling system in the LACP negotiation. While not always necessary, having mismatched priorities can affect which device takes precedence in LACP negotiations.

 

  • LACP Port Priority: Each port in the LACP group has a port priority value. Matching these values is important for determining which ports will be active in the case of a link failure.

 

  • LACP Timeout: LACP has two timeout values: short (1 second) and long (30 seconds). Both devices should use the same timeout value to ensure timely detection of link failures.

 

  • Number of Links: The number of physical links aggregated must match on both devices. If one device has more links configured for LACP than the other, the additional links will not be used.

 

  • Hash Algorithm: LACP uses a hash algorithm to determine how traffic is distributed across the aggregated links. Ensure that both devices use compatible hash algorithms to prevent issues with traffic distribution. Common hash algorithms include:
    • Source MAC address.
    • Destination MAC address.
    • Source and destination MAC address.

 

Below is the configuration from the FortiGate LACP which matches the above. Even though they are not an exact match, it is possible to check them with the 3rd party device LACP configuration:

 

edit "TEST LACP"
     set vlanforward disable           <----- Point #1.3
     set stpforward disable            <----- Point #1.3.
     set security-mode none            <----- Point #1.3
     set priority 1                    <----- Point #1.4.
     set idle-timeout 0                <----- Point #1.6.
     set lacp-mode active              <----- Point #1.1.
     set system-id-type auto            <----- Point #1.5.
     set lacp-speed slow               <----- Point #1.2.
     set min-links 1                   <----- Point #1.7.
     set min-links-down operational    <----- Point #1.7.
     set algorithm L4                  <----- Point #1.8.
next

 

 

If the above parameters match and still 'diag netlink aggregate name your_aggregate_link' showing status is down, use the below commands and the output should look like below:

 

diagnose sniffer packet any "ether proto 0X8809" 4 0 l

 

LACP1.png

 

If the 2 devices are properly communicating,  see the MAC address of both sides on LACPDU messages which are covered in Blue. See ASAIEE in relevant ports and the LACP port which is LACP-2 (In this example) is communicating.

 

Note:

For further information, use 'diagnose sniffer packet any "ether proto 0X8809" 6 0 a' and send it to TAC to convert it to a PCAP file.

 

The below command also can be used where the LACPDUs are moving between the relevant ports:

 

diag sniffer packet FGT_aggregate_link

 

LACP2.png

 

Note

In the cases where no output from the above commands is visible or only the FortiGate LACP link is sending the LACPDU packets, turn on and off the LACP link of the other side to make it work again.
1990
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.