Dear all,
I have some queries related to LACP configuration in FortiGate along with the cisco switch but before that I want to show the topology what I want to do.
Pls comment if this thing is possible or not.
at the switch, I have configured G0/0 and G0/1 LACP and trunking as well.
It is working fine but when I do down the G0/0 interface at switch then it is not working.
here is the configuration of sw1 switch-
int range g0/0 -1
switch port tunk en dot1q
switch port mode trunk
channel-group 1 mode active
no shut
.....................................................
Here is the full configuration road map at FortiGate FW and cisco switch.
1. Created aggrate interface port3 & port 4
then assigned these port to subinterface
2. created policy as per the sub interface, in the policy you can see that traffic is moving from lan to wan zone.
3. Created default route towards wan.
4. created LACP configuration at the switch.
5. tested
But it is not successful, Could you pls help me as I am a beginner, your support will be more helpful for me.
Thank you all.
Umesh
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Unless SW1 and SW2 are stacked, means virtually one switch, it's not going to work. If they are individual, you have to have 2 x 2 port on SW1 and one set going to FG1(port3/4) and another goes to FG2(port3/4). Then you need to use like port6/7 on both FGTs to connect to SW2.
I recommend you tack SW1 and SW2 together. Then pair (SW1-Gi0/0 & SW2-Gi0/1) and (SW1-Gi0/1 & SW2-Gi0/0) in LACP.
Toshi
Hi Toshi,
Let's suppose when primary FortiGate gets down then connectivity also gets down, and traffic is not moving through the secondary firewall. everything is correct configured at secondary fw with HA active and passive mode configuration.
when I check at switch then I get error - Operational Mode: down (suspended member of bundle Po1).
Switch#show interfaces status
Port Name Status Vlan Duplex Speed Type
Gi0/0 suspended trunk a-full auto RJ45
please see the diagram as well -
Please do you have any solutions for it
If those switches are not stacked, those switches are independently setting up LACP with both a-p HA FGTs. In normal situation, FG2 is not sending/receiving any packets other than over HA connection with FG1. So your sw1's port-channel(if Cisco) works always 1Gig, not 2Gig. You have to have two GigE connections go in both FG1 and FT2 to do regular LACP. Then when FG1 goes down the SW1 can failover the 2Gig to FG2.
HA doesn't fail-over L2 protocols like LACP. It might re-establish a new LACP neighboring with FG2 when FG1 goes down in your set up. But your test result is showing that's not the case. So you proved it's not a proper design.
Toshi
Hello, I have the same setup as above (HA Failover FortiGate 201F which connects to two stacked Catalyst 9300x24y) and ran into the same issue. Did you ever find a working solution?
Hello, To resolve this issue I recommend creating two different port-channels.
Hello,
I have the same archetecture, 2 FG 100F on HA and 2 stacked Catalyst 9500, with PO13 for the ports connected to 2 ports on FG (X1, X1), and all port are Trunk mode. the problem is the interface on the master shown as down even if the port is upand the LACP is well configured:
Same problem not resolved yet.
Did you tried to put each FGT in a separate channel group (ports connected to the same FGT should be the same channel group):
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.