Active/Passive Fortigate 201F FW to 9300x24Y Core Stack

DotCon · ‎02-14-2023

Hello All,

I am trying to setup a LACP connection from 2 clustered Fortigate 201F FW to two stacked Cisco 9300x24Y switches via (4) 10 Gb SFP+ direct attach data storage cables as seen below.

I have setup the routing policy, Firewall, and aggregate links on the Fortigate.

FortiGate Aggregate Config

Fortinet-201F-Primary (CORE-UPLINK) # show
config system interface
edit "CORE-UPLINK"
set vdom "root"
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https http fgfm ftm
set type aggregate
set member "port23" "port24"
set alias "CORE-UPLINK"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 38
next
end

FortiGate Policy Route Config

Fortinet-201F-Primary (2) # show
config router policy
edit 2
set input-device "CORE-UPLINK"
set srcaddr "all"
set dstaddr "all"
set gateway %My WAN Address%
set output-device "port1"
next
end

FortiGate Static Route Config

Fortinet-201F-Primary (static) # edit "2"

Fortinet-201F-Primary (2) # show
config router static
edit 2
set gateway %My WAN Address%
set device "port1"
next
end

FortiGate FW Config

Fortinet-201F-Primary (4) # show
config firewall policy
edit 4
set name "CORE-UPLINK (CORE-UPLINK)"
set uuid b6785568-a736-51ed-29d0-9792de722b40
set srcintf "CORE-UPLINK"
set dstintf "LUMEN - WAN"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

I also configured a 4-port (two ports on each switch in the stack) layer 3 EtherChannel on the 9300x switch, however it still shows as disconnected. I have tried several different configs with the same result.

Port-Channel

CORE-9300x24Y-Primar(config)#do sh etherchannel 5 detail
Group state = L3
Ports: 4 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: -
Minimum Links: 0

Ports in the group:
-------------------
Port: Twe1/0/23
------------

Port state = Down Not-in-Bndl
Channel group = 5 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po5
Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 1d:00h:59m:42s

Port: Twe1/0/24
------------

Port state = Down Not-in-Bndl
Channel group = 5 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po5
Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 1d:00h:59m:42s

Port: Twe2/0/23
------------

Port state = Down Not-in-Bndl
Channel group = 5 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po5
Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 1d:00h:55m:13s

Port: Twe2/0/24
------------

Port state = Down Not-in-Bndl
Channel group = 5 Mode = On Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po5
Port index = 0 Load = 0x00 Protocol = -

Age of the port in the current state: 1d:00h:55m:13s

Port-channels in the group:
---------------------------

Port-channel: Po5
------------

Age of the Port-channel = 1d:00h:59m:57s
Logical slot/port = 35/5 Number of ports = 0
GC = 0x00000000 HotStandBy port = null
Passive port list = Twe1/0/23 Twe1/0/24 Twe2/0/23 Twe2/0/24
Port state = Port-channel L3-Ag Ag-Not-Inuse
Protocol = -
Port security = Disabled
Fast-switchover = disabled
Fast-switchover Dampening = disabled

Port-Channel Interfaces

CORE-9300x24Y-Primar(config)#do sh interfaces twentyFiveGigE 1/0/24
TwentyFiveGigE1/0/24 is down, line protocol is down (notconnect)
Hardware is Twenty Five Gigabit Ethernet, address is 08f3.fbdb.90c0 (bia 08f3.fbdb.90c0)
MTU 1500 bytes, BW 25000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 10Gb/s, link type is force-up, media type is SFP-10GBase-CX1
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 14 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

CORE-9300x24Y-Primar(config)#do sh interfaces twentyFiveGigE 1/0/23
TwentyFiveGigE1/0/23 is down, line protocol is down (notconnect)
Hardware is Twenty Five Gigabit Ethernet, address is 08f3.fbdb.90e7 (bia 08f3.fbdb.90e7)
MTU 1500 bytes, BW 25000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 10Gb/s, link type is force-up, media type is SFP-10GBase-CX1
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 14 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

CORE-9300x24Y-Primar(config)#do sh interfaces twentyFiveGigE 2/0/24
TwentyFiveGigE2/0/24 is down, line protocol is down (notconnect)
Hardware is Twenty Five Gigabit Ethernet, address is 08f3.fbdb.90c3 (bia 08f3.fbdb.90c3)
MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 10Gb/s, link type is force-up, media type is SFP-10GBase-CX1
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 2d09h, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 10312 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
4 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
6 packets output, 512 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 14 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

CORE-9300x24Y-Primar(config)#do sh interfaces twentyFiveGigE 2/0/23
TwentyFiveGigE2/0/23 is down, line protocol is down (notconnect)
Hardware is Twenty Five Gigabit Ethernet, address is 08f3.fbdb.90ca (bia 08f3.fbdb.90ca)
MTU 1500 bytes, BW 25000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 10Gb/s, link type is force-up, media type is SFP-10GBase-CX1
input flow-control is on, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
Output 0 broadcasts (0 IP multicasts)
0 output errors, 0 collisions, 14 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

I ran through the gambit of options and still can't get the channel to connect. Can anyone shed some light into my config and see if I missed anything? My main role is sys admin so beyond managing my PFSense router this is the first time messing with Enterprise routing gear, so if I appear clueless it's because I am :).

marce1000 · ‎02-14-2023

-Check these for insights : https://community.cisco.com/t5/network-security/fortigate200e-cisco-3850-switch-lacp/td-p/4050036
https://community.fortinet.com/t5/Support-Forum/LACP-configuration-FGT-and-cisco-switch/m-p/240305

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '