We have a Fortigate 100E running FortiOS 6.2.3 with two FSW 448D switches.
The switches are connected via four Gigabit ports each to the Fortigate (no 10G interface in the 100E) using "set fortilink-split-interface disable" to activate all 8 ports in a single MCLAG to both switches simultaneously.
The Switch-interlink is using two of the 10G ports, the other two 10G ports on each switch is used to connect to VM-host and Storage. This was running fine with FortiSwitch OS 6.0.something (.3 or .5 IIRC).
This Saturday I upgraded the Fortiswitches to 6.2.3 to match the Fortigate's OS version. Upgrade went smooth but we have experienced massive problems since then, troubleshooting shows the following:
1) Packetloss (around 10%) on the Fortilink interface for all traffic (native, CAPWAP and VLANs). The CAPWAP connection between FSW and FGT was also affected, going down and up again repeatedly.
2) Duplicate packets on fortilink (exec ping <fortiswitch> shows DUP packets, also around 10%)
3) Packet-loss on both PPPoE Internet uplinks (two, yes I would rather have non-PPPoE real internet, but you take what you get).
note: We have one 50/1MBit ADSL link with PPPoE and external modem as well as a fiber 1000BaseBX10 symmetric 500MBps (bandwidth throttling on provider side) PPPoE uplink bundled into a simple SDWAN interface.
Workaround: I found a workaround and will downgrade to 6.0.9 after working hours. The workaround appears to be: enable split-interface, thus turning the 8GBit LACP MC-LAG port channel uplink between Switches and Firewall back into a single 1G uplink with 7 backup ports. Since both Storage VLAN and Client VLAN are routed through the Firewall, this is not a desired topology.
My guess at this point is that LACP is broken on fortilink in 6.2.3 and that this caused CPU stress on the Fortigate (it's CPU is quite busy doing 550Mbit/s combined PPPoE).
Anyone with similar problems?
And yes, I will open a tech support ticket tomorrow (when I'm back in the office) and after I confirmed thatthe downgrade removes the problem.
I'm seeing the same thing with a single 248E-FPOE (6.2.3) connected via fiber to a 248D-FPOE (3.6.9).
One the 248D I can run a ping of, say 200 count and get about a 10-12% packet loss.
If I run a ping from the 248E to the 248D I get 0% packet loss.
I don't see any issues on the my network - no packet loss between devices on either side of that link, but it's super weird. Did tech support have any answers for you?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.