Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Muhammad_Haiqal
Staff
Staff

Created on ‎11-23-2020 11:01 PM Edited on ‎05-06-2025 09:52 PM By Community Manager

Article Id 197899

Troubleshooting Tip: LACP issue

Description


This article describes that it is very common to configure LACP to increase a bandwidth and having a failover capability. LACP basically combining multiple port and works as 1 physical cable.


However, due to certain scenario, the LACP can not work as per expectation.

 

Scope

 

FortiGate.


Solution


The issue that can happen is as follow:

  1. Flapping happening (port up and down).
  2.  Network intermittence: Even ping the FortiGate interface is not working.
  3. Firewall keep failover.

LACP group is considered as 1 physical cable. Means only intended to connect to same unit/brain only.

This can be defined as follow:

  1. Physical unit.
  2. Physical unit act as 1 brain. Known as stack. Normally configured on switch.

Scenario 1.
On switch.

  • Port1 and port2 configured as LACP group 1.
  • Port1 and port2 connect to PC-Syarif . IP address 192.168.1.254.

This makes connectivity for PC-Syarif is 2GB.

Scenario 2.
On switch.

  • Port1 and port2 configured as LACP group 1.
  • Port1 connect to PC-Syarif . IP address 192.168.1.254.
  • Port2 connect to PC-Jackie. IP address 192.168.1.253.


Refer to below diagram:


 
 
It is not possible for 1 'cable' to connect to 2 PC at the same time.
PC-Syarif and PC-Jackie having individual brain.
Not same brain. STP can take action for this kind of scenario.
 
Either port1 will be shut down or port2 will be shut down.
This is to mitigate ARP conflict, broadcast issue and so on. 
The action is done on the switch level. 
Both PC-Syarif and PC-Jackie only notice his traffic will not be flowing or notice the physical cable on the adapter is not connected.

Now, let's replace:
PC-Syarif as FortigateA.
PC-Jackie as FortigateB.
 
Even if the FortiGate is on HA mode(active-passive or active-active), each FortiGate still considered as 2 individual brain.
When HA is broken, the common term 'split brain' issue can happen.
Both individual brains havingthe  same information and network(switch) will start to take action to mitigate this using STP and other measurements.
 
To mitigate this issue, proper design has to be executed on the network level.
1 LACP group only intend to connect to 1 unit or stacked unit that act as 1 brain.

 

Related articles

Technical Tip: High availability basic deployment design

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Labels:
17251
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.