BitCube1
New Contributor

LACP with Nexus switch

Hi,

 

I am trying to setup a LAG between a Fortigate 1200D cluster and a two Cisco Nexus switches.

But I do not get the aggregation online.

 

Our setup looks as following:

mindiagram.jpg

I know this setup is a little bit uncommon because normally you would connect the fortigates to both switches but because of limitations of the Nexus switch this is not possible.

 

The Nexus switches are both configured with there own portchannel (po3 and po4).  The portchannel on the second switch (only connected to the passive firewall) is as expected not up. But the port channel on the first switch (connected to the active firewall) doesn't come online either.

 

On the switch we see that the fortigate doesn't send any LACP packets:

switch1# show lacp counters

NOTE: Clear lacp counters to get accurate statistics

------------------------------------------------------------------------------
                 LACPDUs        Markers/Resp LACPDUs
Port            Sent Recv       Recv Sent Pkts Err
------------------------------------------------------------------------------

port-channel3

Ethernet1/5     107  0          0    0    0
Ethernet1/6     106  0          0    0    0

Also on the other switch the Recv is on 0

 

A diagnose on the fortigate shows the following:

fortigate (vdom) # diag netlink aggregate name LAGIF
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: down
npu: y
flush: n
asic helper: y
oid: 179
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: fast
LACP HA: disable
aggregator ID: 1
actor key: 33
actor MAC address: e8:1c:ba:ba:b4:b0
partner key: 1
partner MAC address: 00:00:00:00:00:00

slave: port33
  index: 0
  link status: up
  link failure count: 1
  permanent MAC addr: e8:1c:ba:ba:b4:b0
  LACP state: negotiating
  actor state: AFAIDD
  actor port number/key/priority: 1 33 255
  partner state: AFIODD
  partner port number/key/priority: 1 1 255
  partner system: 65168 00:00:00:00:00:00
  aggregator ID: 1
  speed/duplex: 10000 1
  RX state: DEFAULTED 5
  MUX state: ATTACHED 3

slave: port34
  index: 1
  link status: up
  link failure count: 1
  permanent MAC addr: e8:1c:ba:ba:b4:b1
  LACP state: negotiating
  actor state: AFAODD
  actor port number/key/priority: 2 33 255
  partner state: AFIODD
  partner port number/key/priority: 1 1 255
  partner system: 65168 00:00:00:00:00:00
  aggregator ID: 2
  speed/duplex: 10000 1
  RX state: DEFAULTED 5
  MUX state: WAITING 2

 

I am quite surprised that the partner's MAC address is empty but I am unsure what causes this.

We have the following configuration on the fortigate:

config system interface
  edit "LAGIF"
    set vdom "vdom"
    set type aggregate
    set member "port33" "port34"
    set device-identification enable
    set lldp-reception enable
    set lldp-transmission enable
    set role lan
    set snmp-index 48
    set lacp-ha-slave disable
    set lacp-speed fast
  next
end

 

And this is the configuration on the switch:

interface port-channel3
  description fortigate1
  switchport mode trunk
  switchport trunk allowed vlan 107

interface Ethernet1/5
  description fortigate1 - Port34
  lacp rate fast
  switchport mode trunk
  switchport trunk allowed vlan 107
  channel-group 3 mode passive

interface Ethernet1/6
  description fortigate1 - Port33
  lacp rate fast
  switchport mode trunk
  switchport trunk allowed vlan 107
  channel-group 3 mode passive

 

I have been stuck on this issue now for several weeks, could anyone point me out what I am doing wrong or what I am forgetting to do?

 

Thanks in advance!

 

/ Richard

3 REPLIES 3
sagha
Staff
Staff

Hello Richard, 

I would suggest going through this article to collect the diagnostics: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Initial-troubleshooting-steps-for-LACP-Lin...

 

Thank you,

Shahan Agha

ConnyGustavsson
New Contributor III

Hi. Looks like Fortiswitch has LACP "active" and in Nexus it is "passive". Try change Nexus ports to "channel group .. mode on".  Why do you use two port-channels between the switches? With this setup one of the connection will be STP blocked (on VLAN). If you use mc-lag / vpc all interfaces will be in same port-channel and you will have double capacity in between and no STP issues./C

cogus
BitCube1

We have two port-channels because it was not possible to do layer3 over VPC. Between the Fortigates and the switches we use BGP.

 

Today I looked together with a Fortinet engineer. Both devices (Nexus and the Fortigate) have a high TX but RX is 0. It looks like the used (Twinax) DAC-cables our the problem here. Once we replaced the cables we will know for sure.

 

/ Richard