FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 195163



This article describes the behavior of LACP in an HA cluster.



FortiGate in HA.



The scenario is described as follows:

An aggregate link (LACP) is configured on both devices acting one as Master and the other one as Slave (Active - Passive mode). The aggregate link is comprised of the master's designated interfaces and an equal number of the slave's interfaces.


By default, in this configuration, it is not permitted for the Slave to participate in the LACP negotiation. In case it would be permitted and taking into account that the MAC address assigned to the cluster is the same for both members, then the HA could not work.  This situation also applies to an HA cluster in Active–Active mode. 


To prevent the Slave from participating in the LACP negotiation, apply the following commands:


config system interface

    edit <aggregate-interface-name>
        set lacp-ha-slave disable




With this configuration, the subordinate unit's interfaces cannot accept any packets. As a consequence, a failover will take more time because the slave unit must perform an LACP negotiation before being able to receive and process packets.


For version 7.2.1, lacp-ha-slave has been replaced with lacp-ha-secondary.