When connecting the Fortigate to the Cisco switch, I noticed that the LAG port on the Fortigate is consistently down.Do you know how to resolve this issue? Thank you.
Below are the Fortigate details
config system interface
edit "to-Cisco"
set vdom "root"
set ip 192.168.192.2 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "port5" "port6"
set device-identification enable
set device-user-identification disable
set role lan
set snmp-index 12
next
end
diag netlink aggregate list
List of 802.3ad link aggregation interfaces:
1 name fortilink status down algorithm L4 lacp-mode active
2 name to-Cisco status down algorithm L4 lacp-mode active
diag netlink interface list to-Cisco
if=to-Cisco family=00 type=1 index=19 mtu=1500 link=0 master=0
ref=21 state=start present no_carrier fw_flags=8800 flags=up broadcast master multicast
Qdisc=noqueue hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=92092 txp=5264 rxb=24443268 txb=635935 rxe=0 txe=0 rxd=0 txd=0 mc=92092 collision=0 @ time=1733488413
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=7 arp_entry=0 refcnt=21
the Cisco information
interface Port-channel1
description to-Fortigate
switchport trunk native vlan 192
switchport mode trunk
interface GigabitEthernet1/0/23
switchport trunk native vlan 192
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface GigabitEthernet1/0/24
switchport trunk native vlan 192
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
interface Vlan192
ip address 192.168.192.1 255.255.255.0
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Can you run on the switch side,
show etherchannel 1 port-channel
here is the information:
show etherchannel 1 port-channel
Port-channels in the group:
---------------------------
Port-channel: Po1 (Primary Aggregator)
------------
Age of the Port-channel = 0d:06h:24m:18s
Logical slot/port = 5/1 Number of ports = 0
HotStandBy port = null
Port state = Port-channel Ag-Not-Inuse
Protocol = LACP
Port security = Disabled
I would of expected to see Eth1/0/23 and /24 in that output...
Can you try deleting the fortilink LAG created by default on the FGT and see if it changes status ?
here is Eth1/0/23 and /24 output; after deleting default fortilink seems status still down
GigabitEthernet1/0/24 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 189b.5b97.9918 (bia 189b.5b97.9918)
MTU 9198 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 14000 bits/sec, 7 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
46326 packets output, 8720346 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet1/0/23 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 189b.5b97.9917 (bia 189b.5b97.9917)
MTU 9198 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 14000 bits/sec, 7 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
46319 packets output, 8713914 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Created on 12-06-2024 05:15 AM Edited on 12-06-2024 05:16 AM
I can see that jumbo mtu is configured on the Cisco side on port Gi1/0/24. Can you confirm that it also the case for Gi1/0/23 and for port5 and port6 on the FortiGate side ?
You can check on the FGT side with, diag netlink interface list <NIC name>
looks like I cannot change the interface's mtu
(port5) # set
*vdom Interface is in this virtual domain (VDOM).
distance Distance for routes learned through PPPoE or DHCP, lower distance indicates preferred route.
priority Priority of learned routes.
dhcp-relay-source-ip IP address used by the DHCP relay as its source IP.
dhcp-relay-circuit-id DHCP relay circuit ID.
dhcp-classless-route-addition Enable/disable addition of classless static routes retrieved from DHCP server.
dhcp-client-identifier DHCP client identifier.
dhcp-renew-time DHCP renew time in seconds (300-604800), 0 means use the renew time provided by the server.
dns-server-override Enable/disable use DNS acquired by DHCP or PPPoE.
dns-server-protocol DNS transport protocols.
macaddr Change the interface's MAC address.
speed Interface speed. The default setting and the options available depend on the interface hardware.
status Bring the interface up or shut the interface down.
type Interface type.
ring-rx RX ring size.
ring-tx TX ring size.
netflow-sample-rate NetFlow sample rate. Sample one packet every configured number of packets
(1 - 65535, default = 1, which means standard NetFlow where all packets are sampled).
src-check Enable/disable source IP check.
description Description.
alias Alias will be displayed with the interface name to make it easier to distinguish.
ike-saml-server Configure IKE authentication SAML server.
estimated-upstream-bandwidth Estimated maximum upstream bandwidth (kbps). Used to estimate link utilization.
estimated-downstream-bandwidth Estimated maximum downstream bandwidth (kbps). Used to estimate link utilization.
measured-upstream-bandwidth Measured upstream bandwidth (kbps).
measured-downstream-bandwidth Measured downstream bandwidth (kbps).
bandwidth-measure-time Bandwidth measure time.
monitor-bandwidth Enable monitoring bandwidth on this interface.
role Interface role.
snmp-index Permanent SNMP Index of the interface.
preserve-session-route Enable/disable preservation of session route when dirty.
ap-discover Enable/disable automatic registration of unknown FortiAP devices.
switch-controller-mgmt-vlan VLAN to use for FortiLink management purposes.
switch-controller-igmp-snooping-proxy Switch controller IGMP snooping proxy.
switch-controller-igmp-snooping-fast-leave Switch controller IGMP snooping fast-leave.
swc-first-create Initial create for switch-controller VLANs.
eap-supplicant Enable/disable EAP-Supplicant.
diag netlink interface list port5 port6
if=port5 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=75 state=start present fw_flags=0 flags=up broadcast run noarp slave multicast
Qdisc=mq hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=5473 txp=3944 rxb=798264 txb=480667 rxe=0 txe=0 rxd=0 txd=0 mc=5473 collision=0 @ time=1733527008
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=75
if=port6 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=75 state=start present fw_flags=0 flags=up broadcast run noarp slave multicast
Qdisc=mq hw_addr=00:15:5d:bd:9a:08 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=107157 txp=3937 rxb=24954296 txb=479776 rxe=0 txe=0 rxd=0 txd=0 mc=107157 collision=0 @ time=1733527008
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0
input_type=0 state=3 arp_entry=0 refcnt=75
Hi @52000cc ,
Could you please run this CLI command?
diag netlink aggregate name to-Cisco
diag netlink aggregate name to-Cisco
LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) - LACP mode is Active or Passive
(S|F) - LACP speed is Slow or Fast
(A|I) - Aggregatable or Individual
(I|O) - Port In sync or Out of sync
(E|D) - Frame collection is Enabled or Disabled
(E|D) - Frame distribution is Enabled or Disabled
status: down
npu: n
flush: n
asic helper: y
ports: 1
link-up-delay: 50ms
min-links: 1
ha: master
distribution algorithm: L4
LACP mode: active
LACP speed: slow
LACP HA: enable
aggregator ID: 3
actor key: 17
actor MAC address: 00:15:5d:bd:9a:08
partner key: 1
partner MAC address: 00:00:00:00:00:00
member: port5
index: 0
link status: up
link failure count: 0
permanent MAC addr: 00:15:5d:bd:9a:08
LACP state: negotiating
LACPDUs RX/TX: 0/353
actor state: ASAIDD
actor port number/key/priority: 1 17 255
partner state: ASIODD
partner port number/key/priority: 1 1 255
partner system: 65535 00:00:00:00:00:00
aggregator ID: 3
speed/duplex: 1000 1
RX state: DEFAULTED 5
MUX state: ATTACHED 3
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.