Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1328
Views
0
Helpful
5
Replies

Issue: Enabling a distribuited LACP between a stack Cisco Multilayer SW vs Cluster FORTIGATE HA Active-Active

edwinstik
Level 1
Level 1

‎12-21-2015 02:10 PM - edited ‎03-08-2019 03:10 AM

Hello.


Validating an scenario that take advantage of the capabilities offered by a Fortigate solution in HA A-A (Active-Active) I´m trying to enable the topology attached (please see diagram in JPG format). As bellow I´m going to explain the issue perceived:


When I try use the Internet connections taking as a uplink connection via the distribuited LACP, the navegation experience for some end users is degraded: HTTP content failed to upload, delay, the local gateway is not reachable via ping, tracert; the experience is like as a loop.
The LACP conformed from the perspective of IOS cisco is correct: LACP conformed and each link member is grouped without any problem.
In contrast I´ve applied this topology using only one Fortigate and the redundancy is obtained (check the second topology).

My perception of this is that the arrange of Cisco stack multilayer switching + the Active-Active connections to the FORTIGATE HA give this bad experience at the instant to try access to the network resources.


Somebody have any idea if is possible have a HA A-A using a CORE multilayer switch in stack format.


Thanks and wait for your point of view.

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-27-2015 11:32 PM

How does the client know which of the two Fortigates to send the traffic to when they are both active/active?

0 Helpful

edwinstik
Level 1
Level 1
In response to Philip D'Ath

‎12-29-2015 07:07 AM

Hi.

Well, the cluster from perspective of ARP is seen as one unit; the cluster give an exclusive virtual MAC for purpose of mapping into the ARP table.

Regards,

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to edwinstik

‎12-29-2015 10:46 AM

So the two units share a single MAC address?  If that is the case, then the switches can only forward client traffic to one firewall at a time, so I don't see how active/active could be working in a scenario that traffic is processing by both of them at the same time.  Or have I mis-understood and is only one firewall at a time forwarding traffic?

0 Helpful

GustavoZarini
Level 1
Level 1
In response to Philip D'Ath

‎04-18-2016 01:24 PM

HI. sorry to interrupt. Boths firewalls share a unique mac, but only one unit acts as a master that receives all frames and sends a connection to a secondary unit. From this perspective, all traffic in the first time is processed by the master which sends a given session to a member. Other thing that happens is that the master synchronize it's session table with all member, so in case it fails a new master is elected which sends a gratuitous arp to the switch informating that a new master is reachable through a given port.

0 Helpful

GustavoZarini
Level 1
Level 1

‎04-18-2016 01:30 PM

Hi, sorry to bother you, but i wanna know if you were able to make that work. I have to connect two clustered fg 100d  with two stacked cisco 2960. My idea is to create a lacp with ports of both switches connecting to the fg, so in case one switch fails the other can still send traffic through other port.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card