Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎10-12-2004 12:00 AM Edited on ‎07-29-2025 07:12 AM By Community Manager

Article Id 191336

Technical Tip: Active-active HA: changing spanning tree protocol settings for some switches

Description

 

This article describes the recommended Spanning Tree Protocol settings for network switches connected to an HA cluster.

 

The time that a bridge stores the spanning tree bridge control data unit (BPDU) before discarding it. A maximum age of 20 seconds means it may take 20 seconds before the switch changes a port to the listening state.

 

The time that a connected port stays in the listening and learning state.

A forward delay of 15 seconds assumes a maximum network size of seven bridge hops, a maximum of three lost BPDUs, and a hello-interval of 2 seconds.

 

Scope

 

FortiGate.

 

Solution

 

For an active-active HA cluster to be compatible with the spanning tree algorithm, the FGCP requires that the sum of maximum age and forward delay should be less than 20 seconds.

The maximum age and forward delay settings are designed to prevent layer 2 loops.

If there is no possibility of layer 2 loops in the network, it is possible to reduce the forward delay to the minimum value.

 

For some Dell 3348 switches, the default maximum age is 20 seconds, and the default forward delay is 15 seconds.

In this configuration, the switch cannot work with a FortiGate HA cluster. However, the switch and cluster are compatible if the maximum age is reduced to 10 seconds and the forward delay is reduced to 5 seconds.

 

Spanning Tree protocol (STP).

Spanning tree protocol is an IEEE 802.1 standard link management protocol for media access control bridges.

STP uses the spanning tree algorithm to provide path redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations.

 

Loops can be created if there are more than one route between two hosts.

To control path redundancy, STP creates a tree that spans all of the switches in an extended network.

Using the information in the tree, the STP can force redundant paths into a standby, or blocked, state.

The result is that only one active path is available at a time between any two network devices (preventing looping).

Redundant links are used as backups if the initial link should fail.

 

Without spanning tree in place, it is possible that two connections may be simultaneously live, which could result in an endless loop of traffic on the network.

 

Bridge Protocol Data Unit (BPDU).

BPDUs are spanning tree data messages exchanged across switches within an extended network.

BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go.

BPDU messages are exchanged across bridges to detect loops in a network topology.

The loops are then removed by shutting down selected bridge interfaces and placing redundant switch ports in a backup or blocked state.

 

Rapid Spanning Tree Protocol (RSTP - IEEE 802.1w) and Multiple Spanning Tree Protocol (MSTP - IEEE 802.1s) have largely replaced classic STP in enterprise environments due to their faster convergence.
Modern FortiGate HA deployments are generally compatible with RSTP and MSTP, but it is still necessary to verify specific interoperability with your switch vendor.

 

Switches now default to RSTP, which no longer uses the traditional max age and forward delay in the same way as legacy STP, however it is still recommended to keep the sum of max age and forward delay below 20 seconds, as per the original FGCP guidance.

Link Aggregation Control Protocol (LACP) is now mainly used with or instead of STP/RSTP for providing redundancy and higher throughput between switches and HA clusters.

These technologies reduce reliance on STP by providing active-active links with failover capabilities.

 

Recommended actions:
Disable STP on access ports connected to FortiGates if loops are impossible (for example, direct point-to-point connections).
Enable BPDU filtering or protection features to isolate non-switching endpoints.
Monitor HA status with SNMP traps or telemetry.

 

Debugging commands for the HA and STP processes:

 

diagnose debug enable                        <----- Enable debug mode.

diagnose debug application hasync -1   <----- Enable HA debugging.
diagnose debug application hatalk -1    <----- Enable HA debugging.

diagnose debug application stpd           <----- Enable STP daemon debugging.

diagnose debug disable                        <----- To disable debugs.

 

Related article:

Technical Tip: HA with third-party products

Labels:
9561
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.