Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
claytonmeyer
New Contributor

New FG1000D HA Deployment Using Nexus VPC Troubleshooting

Hi all, I'm deploying a new pair of 1000D in active/active configuration. Outside interface's are connecting to a single ISP & seem to be working fine. The issue I'm having is communication between our core Nexus 9K's & the 1000D's. This is a multi-tenant environment and therefore we are leveraging VDOM's on the FG & VRF's on the 9K's. 

 

I'm using individual /29 networks between the FG & 9K's to route. We are also using LACP on the FG & VPC on the pair of 9K's. The 9K's are not new & have been in production for quite some time. They are configured according to Cisco best practices. 

 

The issue we ran into was that we were unable to communicate properly between the core switches & the firewalls on one of the /29 networks. After working with Fortinet Support for hours, I was told that best practices was for a L2 switch to be physically installed between the firewalls and our core switches. This apparently is due to some requirement for HA configuration. Even though this wasn't clear to me, we did try this method and it didn't resolve the issue.

 

The physical ports on the FG are configured like this. 802.3ad port is in the root VDOM with no L3 config. The underlying VLAN interfaces are in a unique VDOM. These VLAN interfaces are what use the /29 network to route to the Nexus 9K's. Is there something about this design that doesn't seem right? Any ideas what might be causing this problem? Running 5.6.4 code.

 

 

1 Solution
ede_pfau

Cisco Nexus internally use non-standard Ethertypes - the same which FortiOS uses on the HA links. This is documented in the [strike]KB.[/strike] HA chapter of the 'FortiOS Handbook'.

To avoid trouble you can change the Ethertype in the HA setup ('conf sys ha'). 3 different types are used.

 

Your routing / connectivity problems could be a side-effect of this.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
13 REPLIES 13
Sunil_Panchal_NSE7

please upgrade nexus firmware to latest becasue for for old os it is kind of bug .

 

emnoc
Esteemed Contributor III

FWIW if you have a VPC a and peer-link up than  LACP should work. You could disable LACP all together and see what happens but I would look at the  LACP statistics from the NXOS side of things and go from that point forward. If the LCAP packets are not being sent/receive from the FGT or NXOS devices, than trouble shoot as to why.

 

 

 show lacp counter 

 show port-summary 

 show lacp neighbor

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
HungLe
New Contributor

Hello, Did you resolve this problem. Now, I have the same issue with you. 

Please share me information.

HungLe
New Contributor

Hi Everyone, Now, I have the same issue.  Anybody can help me to fix this problem???. I appreciate your help all.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors