Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
Adolfo_Z_H
Staff
Staff

Created on ‎04-22-2025 11:10 AM Edited on ‎07-03-2025 01:49 PM By Staff

Article Id 388293

Technical Tip: FortLlink Trunk failture after upgrading FortiOS with FortiLink-enabled FortiSwitches to 7.6.1

Description

 

This article describes how to avoid or solve a FortiLink Trunk failture after upgrading FortiOS with FortiLink-enabled FortiSwitches to 7.6.1

 

Scope

 

FortiGate v7.6.1 and below.

 

Solution

 

Due to FortiLink protocol improvements, a new behavior was introduced since FortiGate v7.6.1 and below.

The FortiLink discovery process to discover, autoconfigure, and maintain a FortiLink Trunk from FortiGate to FortiSwitch was based on FortiLink Ethernet packets, so it now uses an LLDP-based discovery. As a result, a FortiGate with a FortiLink-enabled interface may retain certain old default configurations and import those into the newer releases' configuration, resulting in FortiLink trunk failure.

 

One or more FortiLink Trunk members could suffer loss of LACP synchrony, causing packet loss and/or all FortiSwitches could cause loss of management sessions to FortiGate.

 

Use the following command in the FortiGate CLI to identify out-of-sync ports on the FortiLink interface:

 

diagnose netlink aggregate name fortilink

 

member: X1
index: 1
link status: up
link failure count: 1
permanent MAC addr: 84:39:8f:XX:XX:XX
LACP state: negotiating <-------
LACPDUs RX/TX: 287/381
actor state: ASAIDD <------
actor port number/key/priority: 2 17 255
partner state: ASIODD <------
partner port number/key/priority: 1 1 255
partner system: 65535 00:00:00:00:00:00
aggregator ID: 2
speed/duplex: 1000 1
RX state: DEFAULTED 5
MUX state: ATTACHED 3


To avoid or resolve this issue, ensure the following new best practices are configured on the FortiLink interface before upgrading FortiGate and FortiSwitch Tier1 units.

 

config system interface
    edit "fortilink" <----- FortiLink-enabled interface name.
        set type aggregate <----- Only FortiLink-enabled interface type recommended if an MCLAG-ICL enabled FortSwitch device is being used.
        set lacp-mode static <----- Change to active if displayed.
        set lldp-reception enable <----- If it is not displayed, it means lldp-rx is disabled, add this line to enable it.
        set lldp-transmission enable <----- If it is not displayed, it means lldp-rx is disabled. Add this line to enable it.
        set fortilink-neighbor-detect fortilink <------ Change to LLDP.
        set monitor-bandwidth enable <----- Change to disabled.
        set fortilink-split-interface disable <----- Change to enabled to be ready to upgrade MCLAG-ICL enabled peer FortiSwitches.
    next
end

 

This will prevent or solve this issue.

 

Refer to the following articles to understand how to troubleshoot LACP trunks and upgrade best practices for upgrading FortiOS with FortiLink-enabled FortiSwitches:

Technical Tip: Initial troubleshooting steps for LACP (Link Aggregation - 802.3ad)

Technical Tip: Upgrading FortiOS with FortiLink-enabled FortiSwitches 

992
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.