Hello,
we have LACP with two port on each of two nodes of A-A cluster configured. I noticed that etherchannel haves different aggregator ID on Fortigate and act as secondary aggregator also on Cisco (6509E). Each node in FG Cluster configured with their own ether channel. FGT100D-HA1 (root) # diag netlink aggregate name MAINLINK-LACP LACP flags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D) (A|P) - LACP mode is Active or Passive (S|F) - LACP speed is Slow or Fast (A|I) - Aggregatable or Individual (I|O) - Port In sync or Out of sync (E|D) - Frame collection is Enabled or Disabled (E|D) - Frame distribution is Enabled or Disabled status: up ports: 2 link-up-delay: 50ms min-links: 1 ha: master distribution algorithm: L4 LACP mode: active LACP speed: slow LACP HA: enable aggregator ID: 1 actor key: 17 actor MAC address: 00:09:0f:ac:98:5e partner key: 101 partner MAC address: ec:30:91:e1:03:40 slave: port3 link status: up link failure count: 0 permanent MAC addr: 00:09:0f:ac:98:5e LACP state: established actor state: ASAIEE actor port number/key/priority: 1 17 255 partner state: ASAIEE partner port number/key/priority: 773 101 32768 partner system: 32768 ec:30:91:e1:03:40 aggregator ID: 1 speed/duplex: 100 1 RX state: CURRENT 6 MUX state: COLLECTING_DISTRIBUTING 4 slave: port4 link status: up link failure count: 0 permanent MAC addr: 00:09:0f:ac:98:5f LACP state: established actor state: ASAIEE actor port number/key/priority: 2 9 255 partner state: ASAIEE partner port number/key/priority: 1029 101 32768 partner system: 32768 ec:30:91:e1:03:40 aggregator ID: 2 speed/duplex: 100 1 RX state: CURRENT 6 MUX state: COLLECTING_DISTRIBUTING 4
Ports configuration:
FGT100D-HA1 (interface) # ed port4 FGT100D-HA1 (port4) # show config system interface edit "port4" set vdom "ROUTER" set type physical set snmp-index 12 next end FGT100D-HA1 (port4) # next FGT100D-HA1 (interface) # ed port3 FGT100D-HA1 (port3) # show config system interface edit "port3" set vdom "ROUTER" set type physical set snmp-index 10 next end FGT100D-HA1 (port3) # next FGT100D-HA1 (interface) # ed MAINLINK-LACP FGT100D-HA1 (MAINLINK-LACP) # show config system interface edit "MAINLINK-LACP" set vdom "ROUTER" set allowaccess ping capwap set vlanforward enable set type aggregate set member "port3" "port4" set snmp-index 20 next end
Cisco configuration: interface GigabitEthernet3/4 description FORTIGATE-HA1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 6,153-155,210,240,242-247,250,260,270,280 switchport trunk allowed vlan add 291-295,302,303,400-403 switchport mode trunk channel-group 101 mode active end core#sh ru int g4/4 Building configuration... Current configuration : 327 bytes ! interface GigabitEthernet4/4 description FORTIGATE-HA1 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 6,153-155,210,240,242-247,250,260,270,280 switchport trunk allowed vlan add 291-295,302,303,400-403 switchport mode trunk channel-group 101 mode active end core#sh etherchannel 101 detail Group state = L2 Ports: 2 Maxports = 16 Port-channels: 2 Max Port-channels = 16 Protocol: LACP Minimum Links: 0 Ports in the group: ------------------- Port: Gi3/4 ------------ Port state = Up Mstr In-Bndl Channel group = 101 Mode = Active Gcchange = - Port-channel = Po101 GC = - Pseudo port-channel = Po101 Port index = 0 Load = 0xFF Protocol = LACP Mode = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi3/4 SA bndl 32768 0x65 0x65 0x305 0x3D Partner's information: Partner Partner LACP Partner Partner Partner Partner Partner Port Flags State Port Priority Admin Key Oper Key Port Number Port State Gi3/4 SA bndl 255 0x0 0x11 0x1 0x3D Age of the port in the current state: 19d:09h:03m:08s Port: Gi4/4 ------------ Port state = Up Mstr In-Bndl Channel group = 101 Mode = Active Gcchange = - Port-channel = Po101A GC = - Pseudo port-channel = Po101 Port index = 0 Load = 0xFF Protocol = LACP Mode = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi4/4 SA bndl 32768 0x65 0x65 0x405 0x3D Partner's information: Partner Partner LACP Partner Partner Partner Partner Partner Port Flags State Port Priority Admin Key Oper Key Port Number Port State Gi4/4 SA bndl 255 0x0 0x9 0x2 0x3D Age of the port in the current state: 19d:09h:03m:09s Port-channels in the group: ---------------------- Port-channel: Po101 (Primary Aggregator) ------------ Age of the Port-channel = 42d:05h:56m:34s Logical slot/port = 14/26 Number of ports = 1 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Fast-switchover = disabled Load share deferral = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------------+------------------+----------- 0 FF Gi3/4 Active 8 Time since last port bundled: 19d:09h:03m:16s Gi3/4 Time since last port Un-bundled: 19d:09h:04m:02s Gi3/4 Port-channel: Po101A ------------ Age of the Port-channel = 19d:09h:03m:19s Logical slot/port = 14/30 Number of ports = 1 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Fast-switchover = disabled Load share deferral = disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------------+------------------+----------- 0 FF Gi4/4 Active 8 Time since last port bundled: 19d:09h:03m:17s Gi4/4 Last applied Hash Distribution Algorithm: Fixed
Anybody know how to fix LACP?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It sounds like your 2 cisco ports switches are not correct in neg-LACP.
Qs: are these switchports on the same switch ( VSS or standalone ) same blade ( looks like it's not )
Qs: did you search for bugs issues on the IOS train your running pertaining to LACP
Qs: did you check anything on FortiOS for your FortiOS ( what version are you running )
Qs: if you restart LACP does anything change ( Down and re-UP one interface at a time )
As temp, can you move port 3/4 4/4 on the same blade and see what happens , does the status change. ( and yes you don't want to leave this as a final solution ;) )
PCNSE
NSE
StrongSwan
It sounds like your 2 cisco ports switches are not correct in neg-LACP.
Qs: are these switchports on the same switch ( VSS or standalone ) same blade ( looks like it's not )
Qs: did you search for bugs issues on the IOS train your running pertaining to LACP
Qs: did you check anything on FortiOS for your FortiOS ( what version are you running )
Qs: if you restart LACP does anything change ( Down and re-UP one interface at a time )
As temp, can you move port 3/4 4/4 on the same blade and see what happens , does the status change. ( and yes you don't want to leave this as a final solution ;) )
PCNSE
NSE
StrongSwan
Hi, thanks for questions.
A: yes, switch ports on same standalone switch. But on different blades due to redundancy.
A: not yet searched, but we have number of LACP with linux/windows servers, dell/hp swithces, cisco stacked switches - all of them working without problem,
A: no any release notes (we are on 5.2.7). Support ticket created but no any update for last 3 days.
A: I will check with connection to slave FGT member for avoid possible production impact.
Vladimir.
Hi,
I tired to restart one port from LAG on slave and got positive results - both ports are belongs to same aggregator ID.
Looks like some negotiation problem forced to split LAG into two different sub-LAG :)
Thanks. Vladimir.
PS: I will do same with master unit on next week (maintenance window).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.