Description
This article describes the behavior of LACP in an HA cluster.
Scope
FortiGate in HA.
Solution
The scenario is described as follows:
An aggregate link (LACP) is configured on both devices acting one as Primary and the other one as Secondary (Active - Passive mode). The aggregate link is comprised of the primary's designated interfaces and an equal number of the secondary's interfaces.
By default, in this configuration, it is not permitted for the Secondary to participate in the LACP negotiation. In case it would be permitted and taking into account that the MAC address assigned to the cluster is the same for both members, then the HA could not work. This situation also applies to an HA cluster in Active-Active mode.
To prevent the Secondary from participating in the LACP negotiation, apply the following commands:
config system interface
edit <aggregate-interface-name>
set lacp-ha-slave disable <-
next
end
With this configuration, the subordinate unit's interfaces cannot accept any packets. As a consequence, a failover will take more time because the secondary unit must perform an LACP negotiation before being able to receive and process packets.
Note:
For version 7.2.1, lacp-ha-slave has been replaced with lacp-ha-secondary.
