Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎11-23-2020 11:01 PM Edited on ‎06-23-2025 12:13 AM By Moderator

Article Id 197899

Troubleshooting Tip: LACP issue

Description


This article describes that it is very common to configure LACP to increase a bandwidth and having a failover capability. LACP basically combining multiple port and works as 1 physical cable.


However, due to certain scenario, the LACP can not work as per expectation.

 

Scope

 

FortiGate.


Solution


The issue that can happen is as follows:

  1. Flapping is happening (port up and down).
  2. Network intermittence: Even a ping to the FortiGate interface is not working.
  3. Firewall keeps failing over.

LACP group is considered as 1 physical cable. Means only intended to connect to the same unit/brain only.

This can be defined as follows:

  1. Physical unit.
  2. Physical units act as 1 brain. Known as a stack. Normally configured on the switch.

Scenario 1.
On switch.

  • Port1 and port2 configured as LACP group 1.
  • Port1 and port2 connect to PC-Syarif. IP address 192.168.1.254.

This makes connectivity for PC-Syarif is 2GB.

Scenario 2.
On switch.

  • Port1 and port2 configured as LACP group 1.
  • Port1 connects to PC-Syarif. IP address 192.168.1.254.
  • Port2 connects to PC-Jackie. IP address 192.168.1.253.


Refer to diagram below:

 
It is not possible for 1 'cable' to connect to 2 PC at the same time.
PC-Syarif and PC-Jackie have individual brains.
Not the same brain. STP can take action in this kind of scenario.
 
Either port1 will be shut down or port2 will be shut down.
This is to mitigate ARP conflict, broadcast issues, and so on. 
The action is done on the switch level. 
Both PC-Syarif and PC-Jackie only notice that their traffic will not be flowing, or notice that the physical cable on the adapter is not connected.

Now, let's replace:
PC-Syarif as FortigateA.
PC-Jackie as FortigateB.
 
Even if the FortiGate is on HA mode(active-passive or active-active), each FortiGate is still considered as a 2 individual brains.
When HA is broken, the common term 'split brain' issue can happen.
Both individual brains having the same information and network(switch) will start to take action to mitigate this using STP and other measurements.
 
To mitigate this issue, proper design has to be executed on the network level.
1 LACP group only intends to connect to 1 unit or a stacked unit that acts as 1 brain.

 

Related articles:

Technical Tip: High availability basic deployment design

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Technical Tip: High Availability Split Brain

Labels:
18844
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.