802.3ad Aggregation Link Is Up But Won't Respond

rharms_tarc · ‎04-15-2025

We have two WAN links from two different ISPs coming into our active/passive HA pair of FortiGate 300Es running v7.4.7 build2731 (Mature).

Currently there is no aggregation or load balancing in place. They are just two separate circuits, and one isn't really being utilized much day to day.

In an effort to improve that, I am working toward implementing SD-WAN on the FortiGates. To minimize downtime, I am setting up new links for the SD-WAN zone on unused ports.

We only have one port available from the ISP router at present, so have to run through a layer 2 switch in order to provide service to both FortiGates. The plan is to replace the single switch with a stacked pair to eliminate that switch as a single point of failure. While waiting for the stacked switches to be available, I've set things up as shown in the attached diagram so I can continue getting things prepared.

However, the 802.3ad agg link I created on the FortiGate doesn't seem to be working as it isn't pingable even from the layer 2 switch that is directly connected.

The config for the agg link on the FortiGate is:

config system interface
edit "LUMEN_ISP_AGG"
set vdom "root"
set ip 216.248.xxx.108 255.255.255.240
set allowaccess ping
set type aggregate
set member "port5" "port7"
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 1000
set role wan
set snmp-index 82
set ip-managed-by-fortiipam disable
next
end

Running "diag netlink aggregate name LUMEN_ISP_AGG" on the FortiGate gives me the following.

HA1-300E (root) # diag netlink aggregate name LUMEN_ISP_AGG
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: up
npu: y
flush: n
asic helper: y
oid: 216
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 4
actor key: 17
actor MAC address: e8:1c:ba:e5:a2:fc
partner key: 2
partner MAC address: f0:25:72:fd:91:00

member: port5
index: 0
link status: up
link failure count: 0
permanent MAC addr: e8:1c:ba:e5:a2:fc
LACP state: established
LACPDUs RX/TX: 1838/1683
actor state: ASAIEE
actor port number/key/priority: 1 17 255
partner state: ASAIEE
partner port number/key/priority: 262 2 32768
partner system: 32768 f0:25:72:fd:91:00
aggregator ID: 4
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: port7
index: 1
link status: up
link failure count: 0
permanent MAC addr: e8:1c:ba:e5:a2:fe
LACP state: established
LACPDUs RX/TX: 1840/1683
actor state: ASAIEE
actor port number/key/priority: 2 17 255
partner state: ASAIEE
partner port number/key/priority: 263 2 32768
partner system: 32768 f0:25:72:fd:91:00
aggregator ID: 4
speed/duplex: 1000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

and running a packet sniff shows LACPDUs

HA1-300E (root) # diag sniffer packet LUMEN_ISP_AGG "ether proto 0x8809" 6 0 a
interfaces=[LUMEN_ISP_AGG]
filters=[ether proto 0x8809]
2025-04-15 16:56:33.989204 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0263) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0002) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9106 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0107 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0002 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

2025-04-15 16:56:46.586739 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0262) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0001) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9105 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0106 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0001 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

2025-04-15 16:57:01.750867 LUMEN_ISP_AGG -- 802.3ad LACPDU (32768,F0-25-72-FD-91-00,0002,32768,0263) ASAIEE (65535,E8-1C-BA-E5-A2-FC,0017,0255,0002) ASAIEE
0x0000 0180 c200 0002 f025 72fd 9106 8809 0101 .......%r.......
0x0010 0114 8000 f025 72fd 9100 0002 8000 0107 .....%r.........
0x0020 3d00 0000 0214 ffff e81c bae5 a2fc 0011 =...............
0x0030 00ff 0002 3d00 0000 0310 8000 0000 0000 ....=...........
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070 0000 0000 0000 0000 0000 0000 ............

but that's as far as I'm getting at this point.

Toshi_Esumi · ‎04-17-2025

To be able to ping

216.248.xxx.108/28

your C2960 has to resolve the destination IP to MAC address. Without having one of the /28 IP configured on the VLAN, the switch can't know where to send ARP request (broadcast) to to get the MAC address.

And you likely have a default-gateway configured on the switch. So your ping packet to the FGT's IP, which is unknown for the switch, would be sent to the gateway IP/device instead.

Toshi

802.3ad Aggregation Link Is Up But Won't Respond

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website