|
The issue occurs in environments using LAG interfaces between FortiGate in HA and Cisco Nexus configured in vPC pairs.
During the events, the Cisco side reports interfaces going down and up for 3 seconds, while the FortiGate side continues to show link status as up with no recorded log entries or system events.
- The L1 OSI status on FortiGate remains normal.
On Cisco Nexus:
2025 Jan 14 10:21:01 %ETHPORT-5-IF_DOWN_INITIALIZING: Interface Ethernet1/25 (...) is down (Initializing)
2025 Jan 14 10:21:04 %ETHPORT-5-IF_UP: Interface Ethernet1/25 (...) is up in mode trunk
On FortiGate:
- No interface down events in 'diagnose netlink aggregate name <LAG>'.
- Optical signal and interface counters are normal.
Switch error counters:
rx_over_err :263500
rx_over_err :2032
Under heavy load, LACPDU frames may experience delayed or dropped handling in NP7 if the NP queue prioritization or message queue mode is not properly configured.
Two contributing factors are identified:
- htab-msg-queue not set to dedicated.
- Incomplete np-queue configuration after upgrades from FortiOS 7.x, which can deprioritize LACP traffic (EtherType 0x8809).
As a result, FortiGate fails to process incoming LACPDU frames in time, while the Cisco Nexus peer interprets the delay as a link loss and triggers a port-channel reinitialization (flap).
Workaround 1: Enable a Dedicated Message Queue.
Allocate a dedicated queue to improve reliability of LACP frame processing:
config system npu
set htab-msg-queue dedicated
end
Workaround 2: Restore Default NP-Queue Configuration.
Ensure that LACP EtherType 8809 is prioritized.
config system npu
config np-queues
config ethernet-type
edit "LACP"
set type 8809
set queue 9
next
edit "HA-SESSYNC"
set type 8892
set queue 11
next
edit "BGP"
set protocol 6
set sport 179
set dport 179
set queue 9
next
edit "IKE"
set protocol 17
set sport 500
set dport 500
set queue 11
next
end
end
end
Next step:
config system npu
set dedicated-lacp-queue enable
end
Upgrade to v7.4.x for long term stability.
|
