Hello,
We have a Fortigate 1100 connected to a Cisco NX-3548 with 2 LACP links for WAN internet access . In some heavy network traffic days ( three times in six months ) Both of two LACP links to Cisco NX gets blocked. I am thinking that LACP flapping occurs.
These are 10G fiber connections. Are stock transceivers can be a cause of this problem ?
Thanks
Hello Rehad
Which FortiOS version?
Did you perform any action to unblock the links or it came back by it own once traffic was low again?
Do you have any relevant system logs from FG and Cisco sides at the moment of the outage?
Fortigate firmware version is v7.2.6.
Unfortunately we couldn't get any logs from FG and Cisco because specialized persons were not present at that time. Only thing we can do is restarting the FG. After restart everything was fine.
Your issue looks quite similar to that one affecting FOS 7.2.6 on FG 1100E.
Probably you will have to wait for next patch and open a ticket in case there is a workaround. Meanwhile if the impact is high then you might need to drop the LACP.
861962 | When configuring an 802.3ad aggregate interface with a 1 Gbps speed, the port's LED is off and traffic cannot pass through. Affected platforms: 110xE, 220xE, 330xE, 340xE, and 360xE. |
Once the problem occurs there was stock transceivers . Current information of this transceiver is as follows;
Interface port25 - SFP/SFP+/SFP28, 10GBASE-SR
Diagnostics : Implemented
Vendor Name : OEM
Part No. : SFP-10G-SR-LL
Serial No. : 202009281816
Measurement Unit Value High Alarm High Warning Low Warning Low Alarm
------------ ------------ ------------ ------------ ------------ ------------ ------------
Temperature (Celsius) 31.6 90.0 85.0 -5.0 -10.0
Voltage (Volts) 3.37 3.60 3.50 3.00 2.90
Tx Bias (mA) 6.89 15.00 13.00 2.00 1.00
Rx Power (dBm) -40.0 -- 5.0 3.0 -15.0 -17.0
Tx Power (dBm) -2.6 4.0 3.0 -8.0 -9.0
++ : high alarm, + : high warning, - : low warning, -- : low alarm, ? : suspect.
Some figures are not within the limits. Both of the transceivers were stock transceivers. This can be the cause of the problem ?
I don't know if this OEM SFP can cause such issue or not, but in my experience they generally work fine. However it is possible that you will not get support from Fortinet on issues related to this SFP, but you can always try.
Thanks AEK,
We may think to drop LACP because the impact is quite high. But that time there are too many Firewall policy rules using wan1 ( LAG interface name ) . Is there a way keeping this wan1 interface and rules by dropping the LACP.
Thanks Again
Actually i forgot the mention the SD-WAN definition.
LAG interface name wan1 is used in the SD-WAN definition , which has wan1 and wan2 . wan2 is not used , there is no physical connection for wan2.
the SD-WAN name ( WAN ) is used in all of the Firewall policy rules.
You may try with Interface Migration utility
You should try firs in lab to master the procedure and check it works fine before going on prod.
Don't forget to take a full backup before the operation.
Do it during maintenance window (possible downtime).
Thanks a lot, i will try this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.