Hello,
We have a Fortigate 1100 connected to a Cisco NX-3548 with 2 LACP links for WAN internet access . In some heavy network traffic days ( three times in six months ) Both of two LACP links to Cisco NX gets blocked. I am thinking that LACP flapping occurs.
These are 10G fiber connections. Are stock transceivers can be a cause of this problem ?
Thanks
I have read the Fortigate document about interface integration wizard unfortunately the below explanation says that we can't do this operation;
"The interface migration wizard does not support turning an aggregate, software switch, redundant, zone, or SD-WAN zone interface back into a physical interface."
What i am thinking , i will use another port for wan internet access . I will create one by one each firewall rule for this new port ( it will take some time but its doable ) . I will disable old connections ( SD-WAN , LACP etc ) and i will move to this new port .
Yes you can do so.
To speed up the change you can use cli script so you can do it much faster.
Just make a good plan and test it in your lab.
Ok thanks , i will use cli scripts.
Have you resolved your problem ?
We are experiencing something that's look the same.
We have LACP communication problem with a 600E.
LACP doesnt goes down, always up, but we have traffic unstability.
If we ping the gateway using this LACP ( while being in the same VLAN ), we are losing a lot of ping...like a arp poising problem or arp conflict...but there is not, everything has been verified.
BUT ! If we hard reboot the cluster ( by unpluging the power cable, not only the reboot button in the GUI ), the problem is resolved UNTIL a LACP member is down for a moment ( by manually shutting down the port by CLI or physicaly unpluging it from the switch ).
When this happens, all the problems comes back until we hard reboot again the cluster....
Very strange behavior...
Hi jpcastilloux,
We understood that the root of the problem was some DDOS attacks. The instability happens under heavy internet traffic. We have two ISPs for Internet connection . One is primary and the other secondary . To minimize the incoming internet traffic we have switched the ISP and selected the slower one for the first priority. Slower ISP speed is 1 Gbit/sec .
After this we don't faced any problem on the LACP link.
We were planned to remove the LACP but as we didn't have a problem anymore we didn't do that.
Also i have to mention that the ISP that we have selected as the first priority has better infrastructure for preventing DDOS attacks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.