Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IsmaTIC
New Contributor

Created on ‎10-05-2022 06:27 AM Edited on ‎10-05-2022 06:28 AM

Connectivity problem in scenario FGT200F HA(A-P) and Nexus 3548

Hello! I am not able to do a single ping to any of the VLANs on the trunk even when everything is up. need help.
The goal is to maintain a trunk to L2.
Each Fortigate has its own port-channel. LACP A-P.

 

Attached representative physical diagram.

IsmaTIC_0-1664967482480.png

Attached representative logic diagram; 1 Trunk for 5 vlans with a gw each.

IsmaTIC_4-1664970624345.png

 

 

Nexus config...

SWT01SWT02
interface Ethernet1/21
description FGT01-X1
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 40 mode passive
no shutdown		interface Ethernet1/21
description FGT01-X2
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 40 mode passive
no shutdown
interface Ethernet1/22
description FGT02-X1
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 50 mode active
no shutdown		interface Ethernet1/22
description FGT02-X2
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
channel-group 50 mode active
no shutdown
interface port-channel40
speed 10000
description VPC Trunk to FGT01
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 40
interface port-channel40
speed 10000
description VPC Trunk to FGT01
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 40
interface port-channel50
speed 10000
description VPC Trunk to FGT02
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 50

interface port-channel50
speed 10000
description VPC Trunk to FGT02
switchport mode trunk
switchport trunk allowed vlan 2,11,99-101
vpc 50

 show port-channel summary

IsmaTIC_2-1664969563793.png

All UP (interfaces, portchannel,vPC)

show port-channel summary
IsmaTIC_1-1664969504013.png

All UP (interfaces, portchannel,vPC)

 

 

 

Fortigates

FGTAE_HA1 # show system interface LAN
config system interface
edit "LAN"
set vdom "root"
set allowaccess ping https http
set type aggregate
set member "x1" "x2"
set device-identification enable
set lldp-transmission enable
set monitor-bandwidth enable
set role lan
set snmp-index 39
next
end

FGTAE_HA1 # show system interface x1
config system interface
edit "x1"
set vdom "root"
set type physical
set snmp-index 11
next
end

FGTAE_HA1 # show system interface x2
config system interface
edit "x2"
set vdom "root"
set type physical
set snmp-index 12
next
end

 

Any ideas?

 

Labels:
615
0 Kudos
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Created on ‎10-05-2022 06:45 AM

hi,

Vlan interfaces on FortiGate 'LAN' interface is the gateway for the vlans? Ping is from which source to which destination? Could you post the output of #diag netlink aggregate name LAN from *both* FortiGates?

 

Best regards,

Jin

608
0 Kudos
IsmaTIC
New Contributor
In response to jintrah_FTNT

Created on ‎10-05-2022 07:22 AM

LAN is the trunk that contains the gw of each vlan.

IsmaTIC_1-1664978743167.png

FGT to host (vlan100) > No ping

Host to FGT(100.252) > No ping

 

something more direct:

Nexus(99.190) to FGT(99.252) > No ping

FGT(99.252) to Nexus(99.190)> No ping

 

"diagnose netlink aggregate name LAN" the second is a passive slave

FGTAE_HA1 # diagnose netlink aggregate name LAN
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled

status: up
npu: y
flush: n
asic helper: y
oid: 89
ports: 2
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 2
actor key: 33
actor MAC address: ac:71:2e:87:b8:1a
partner key: 32808
partner MAC address: 00:23:04:ee:be:01

member: x1
index: 0
link status: up
link failure count: 4
permanent MAC addr: ac:71:2e:87:b8:1a
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 1 33 255
partner state: PSAIEE
partner port number/key/priority: 277 32808 32768
partner system: 8192 00:23:04:ee:be:01
aggregator ID: 2
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

member: x2
index: 1
link status: up
link failure count: 1
permanent MAC addr: ac:71:2e:87:b8:1b
LACP state: established
actor state: ASAIEE
actor port number/key/priority: 2 33 255
partner state: PSAIEE
partner port number/key/priority: 16661 32808 32768
partner system: 8192 00:23:04:ee:be:01
aggregator ID: 2
speed/duplex: 10000 1
RX state: CURRENT 6
MUX state: COLLECTING_DISTRIBUTING 4

 

Thanks

605
0 Kudos
gfleming
Staff
Staff
In response to IsmaTIC

Created on ‎10-05-2022 11:08 AM

Do you have two vPC domains? Why are you using VPC 40 and VPC 50?

 

Can you show us the Nexus config for your VPC domain(s)? As well as your vPC Peer Link config.

Cheers,
Graham
588
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.