LACP configuration in fortigate along with cisco switch

Umesh · ‎07-03-2022

Dear all,

I have some queries related to LACP configuration in FortiGate along with the cisco switch but before that I want to show the topology what I want to do.

Pls comment if this thing is possible or not.

at the switch, I have configured G0/0 and G0/1 LACP and trunking as well.

It is working fine but when I do down the G0/0 interface at switch then it is not working.

here is the configuration of sw1 switch-

int range g0/0 -1

switch port tunk en dot1q

switch port mode trunk

channel-group 1 mode active

no shut

.....................................................

Here is the full configuration road map at FortiGate FW and cisco switch.

1. Created aggrate interface port3 & port 4

then assigned these port to subinterface

2. created policy as per the sub interface, in the policy you can see that traffic is moving from lan to wan zone.

3. Created default route towards wan.

4. created LACP configuration at the switch.

5. tested

But it is not successful, Could you pls help me as I am a beginner, your support will be more helpful for me.

Thank you all.

Umesh

Toshi_Esumi · ‎07-03-2022

Unless SW1 and SW2 are stacked, means virtually one switch, it's not going to work. If they are individual, you have to have 2 x 2 port on SW1 and one set going to FG1(port3/4) and another goes to FG2(port3/4). Then you need to use like port6/7 on both FGTs to connect to SW2.

I recommend you tack SW1 and SW2 together. Then pair (SW1-Gi0/0 & SW2-Gi0/1) and (SW1-Gi0/1 & SW2-Gi0/0) in LACP.

Toshi

Umesh · ‎07-04-2022

Hi Toshi,

Let's suppose when primary FortiGate gets down then connectivity also gets down, and traffic is not moving through the secondary firewall. everything is correct configured at secondary fw with HA active and passive mode configuration.

when I check at switch then I get error - Operational Mode: down (suspended member of bundle Po1).

Switch#show interfaces status

Port Name Status Vlan Duplex Speed Type
Gi0/0 suspended trunk a-full auto RJ45

please see the diagram as well -

Please do you have any solutions for it

Toshi_Esumi · ‎07-04-2022

If those switches are not stacked, those switches are independently setting up LACP with both a-p HA FGTs. In normal situation, FG2 is not sending/receiving any packets other than over HA connection with FG1. So your sw1's port-channel(if Cisco) works always 1Gig, not 2Gig. You have to have two GigE connections go in both FG1 and FT2 to do regular LACP. Then when FG1 goes down the SW1 can failover the 2Gig to FG2.

HA doesn't fail-over L2 protocols like LACP. It might re-establish a new LACP neighboring with FG2 when FG1 goes down in your set up. But your test result is showing that's not the case. So you proved it's not a proper design.

Toshi

Moony · ‎08-24-2023

Hello, I have the same setup as above (HA Failover FortiGate 201F which connects to two stacked Catalyst 9300x24y) and ran into the same issue. Did you ever find a working solution?

ndawedua · ‎11-14-2023

Hello, To resolve this issue I recommend creating two different port-channels.

Ndawendua Neto

KhalidBouchlaghem · ‎02-13-2024

Hello,

I have the same archetecture, 2 FG 100F on HA and 2 stacked Catalyst 9500, with PO13 for the ports connected to 2 ports on FG (X1, X1), and all port are Trunk mode. the problem is the interface on the master shown as down even if the port is upand the LACP is well configured:

interface problem.jpg

Umesh · ‎02-13-2024

Same problem not resolved yet.

KhalidBouchlaghem · ‎02-13-2024

Did you tried to put each FGT in a separate channel group (ports connected to the same FGT should be the same channel group): Screenshot 2024-02-14 084014.jpg

LACP configuration in fortigate along with cisco switch

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website