FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cserna_FTNT
Staff
Staff
Article Id 195163

Description

 

This article describes the behavior of LACP in an HA cluster.

Scope

 

FortiGate in HA.


Solution

 

The scenario is described as follows:

An aggregate link (LACP) is configured on both devices acting one as Primary and the other one as Secondary (Active - Passive mode). The aggregate link is comprised of the primary's designated interfaces and an equal number of the secondary's interfaces.

 

By default, in this configuration, it is not permitted for the Secondary to participate in the LACP negotiation. In case it would be permitted and taking into account that the MAC address assigned to the cluster is the same for both members, then the HA could not work. This situation also applies to an HA cluster in Active-Active mode. 

 

To prevent the Secondary from participating in the LACP negotiation, apply the following commands:

 

config system interface

    edit <aggregate-interface-name>
        set lacp-ha-secondary disable
<---
    next

end

 

With this configuration, the Secondary unit's interfaces cannot accept any packets. As a consequence, a failover will take more time because the Secondary unit must perform an LACP negotiation before being able to receive and process packets.

 

Scenario:

 

ha lacp.PNG

 

This is a design where each HA cluster has a Link Aggregate LACP interface with the same port1 and port2 members. The 2 clusters connect the members of LACP interfaces, as shown in the diagram above, to ensure that when one cluster experiences a failover, the new primary on that cluster will continue to pass traffic on one active interface while keeping the other member interface of Link Aggregate passive.

 

If the option 'lacp-ha-secondary' is left enabled on any of the HA clusters and a failover does take place on HA cluster A, the result is the unit that becomes secondary will continue to negotiate LACP with the primary on cluster B after failover and therefore primary B will continue to pass traffic to the passive member on cluster A.

 

The solution in this case is to disable 'lacp-ha-secondary' to make sure secondary member of HA cluster will not negotiate LACP with the primary and the link between secondary on one cluster and primary on the remote cluster will be down to achieve true Active-Passive deployment.


Note:

In older versions, lacp-ha-slave was used. This has since been replaced with lacp-ha-secondary.