Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rpozywak
New Contributor

Created on ‎11-08-2021 04:29 AM

Fortinet 60D's in HA Active/Active Port Channel Problem

I just recently installed two Fortinet 60D's firewalls in HA mode and set to active/active.    On both firewalls ports 6 & 7 are connected to each other for heart beat connection.    On port 5 of both firewalls they are wired into a single Cisco 2960s switch.   On the Fortinet I set port 5 as 802.3 aggerate and on the cisco side I did a port-channel for ports 47 & 48. 

 

What I am noticing is port 47 on cisco is showing up/up and on port 48 its showing suspended.    I have tried a couple of different configurations on the cisco side and I can not get both ports up.   

 

Below is my configuration from Cisco and Fortigate:

 

Cisco:

    Interface Gi 1/0/47 & 48

     Switchport mode trunk

     channel-protocol lacp

     channel-group 1 mode active

 

    Interface Port Channel 1

    switchport mode trunk

 

Cisco Switch is a WS-C2960S-48FPS-L running ver 15.2(2)E9   

 

Fortinet:

config system interface edit "Port Channel" set vdom "root" set allowaccess ping https ssh http set type aggregate set member "internal5" set lldp-transmission enable set role lan set snmp-index 13 next end

 

Firmware:  v6.4.7 build1911 (GA)

 

I am open to suggestions:

 

Thanks,

Richard 

3987
0 Kudos
3 REPLIES 3
quizac
New Contributor

Created on ‎11-08-2021 05:57 AM

Richard,

 

Check LACP PDU frame interval. FG tends to send them every 1s(fast mode) and Cisco's default is usually 30s(slow mode)

3637
0 Kudos
lobstercreed
Valued Contributor

Created on ‎11-08-2021 06:16 AM

That's not how FGTs in HA work (they don't act like a switch stack but more like routers using a redundancy protocol).  You need two different port channels on the Cisco side.  1 for the primary FGT and 1 for the secondary. 

 

At that point there's not really any point in using aggregation in the first place, but if you wanted to add a second interface to each box afterwards you could.

3637
0 Kudos
Kangming
Staff
Staff
In response to lobstercreed

Created on ‎11-08-2021 10:05 AM

May need to be deployed like this:

Fortinet 60D Master  BOND1 Port6&Port7 <====> Cisco 2960s Port Channel 1 Gi 1/0/47 & 48 trunk

Fortinet 60D Backup BOND1 Port6&Port7 <====> Cisco 2960s Port Channel 2 Gi 1/0/45 & 46 trunk

Thanks

Kangming

3637
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.