Created on
10-05-2015
12:45 AM
Edited on
04-10-2025
06:49 AM
By
Stephen_G
Description
This article describes the behavior of LACP in an HA cluster.
Scope
FortiGate in HA.
Solution
The scenario is described as follows:
An aggregate link (LACP) is configured on both devices acting one as Primary and the other one as Secondary (Active - Passive mode). The aggregate link is comprised of the primary's designated interfaces and an equal number of the secondary's interfaces.
By default, in this configuration, it is not permitted for the Secondary to participate in the LACP negotiation. In case it would be permitted and taking into account that the MAC address assigned to the cluster is the same for both members, then the HA could not work. This situation also applies to an HA cluster in Active-Active mode.
To prevent the Secondary from participating in the LACP negotiation, apply the following commands:
config system interface
edit <aggregate-interface-name>
set lacp-ha-secondary disable <---
next
end
With this configuration, the Secondary unit's interfaces cannot accept any packets. As a consequence, a failover will take more time because the Secondary unit must perform an LACP negotiation before being able to receive and process packets.
Scenario:
This is a design where each HA cluster has a Link Aggregate LACP interface with the same port1 and port2 members. The 2 clusters connect the members of LACP interfaces, as shown in the diagram above, to ensure that when one cluster experiences a failover, the new primary on that cluster will continue to pass traffic on one active interface while keeping the other member interface of Link Aggregate passive.
If the option 'lacp-ha-secondary' is left enabled on any of the HA clusters and a failover does take place on HA cluster A, the result is the unit that becomes secondary will continue to negotiate LACP with the primary on cluster B after failover and therefore primary B will continue to pass traffic to the passive member on cluster A.
The solution in this case is to disable 'lacp-ha-secondary' to make sure secondary member of HA cluster will not negotiate LACP with the primary and the link between secondary on one cluster and primary on the remote cluster will be down to achieve true Active-Passive deployment.
Note:
In older versions, lacp-ha-slave was used. This has since been replaced with lacp-ha-secondary.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.