Comware

I'm attempting to replace my current firewall.  Right now, we've just got a single line running from the HP 1950 to the watchguard.  In order to build in some redundancy, I'm wanting to setup a LACP connection from the 1950 to the FortiGate.  As far as I can tell, everything is configured correctly. 

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all

1. interface Ten-GigabitEthernet1/0/1
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

1. interface Ten-GigabitEthernet1/0/4
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

The configuration on the Fortinet is correct.  In this case, I've got the LACP set as static, trying to bring it up, but I also tried with the LACP at Dynamic

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all
4. link-aggregation mode dynamic

But it was the same result.  I'd get a physical connection between the devices, but when I tried to ping from the 1950 to the FortiGate or from the FrotiGate to the 1950, I got no response.  Any idea why I couldn't get traffic to flow between them?

I think I figured out the issue, but I won't know for sure until our next maintenance window.
All the vlan interfaces on the Fortinet are sub-interfaces of the LACP-Trunk interface.  On the HP, I had the PVID set as 1 and allowed vlans set as all.  I think the issue is a vlan tagging issue.  The fortinet is expecting vlan 1 to have a tag, not just be the native vlan and the HP wasn't tagging vlan 1.  I tested by changing the PVID on the HP to 4094 and created a dummy LACP-Test interface on the Fortinet, with a sub-interface on vlan 1 that was an unused IP on the network.  Plug up the ports, the LACP comes up and I get pings across!  So I can't be 100% sure until our next maintenance window, but it looks like it was a vlan tagging issue. 

I'm attempting to replace my current firewall.  Right now, we've just got a single line running from the HP 1950 to the watchguard.  In order to build in some redundancy, I'm wanting to setup a LACP connection from the 1950 to the FortiGate.  As far as I can tell, everything is configured correctly. 

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all

1. interface Ten-GigabitEthernet1/0/1
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

1. interface Ten-GigabitEthernet1/0/4
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

The configuration on the Fortinet is correct.  In this case, I've got the LACP set as static, trying to bring it up, but I also tried with the LACP at Dynamic

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all
4. link-aggregation mode dynamic

But it was the same result.  I'd get a physical connection between the devices, but when I tried to ping from the 1950 to the FortiGate or from the FrotiGate to the 1950, I got no response.  Any idea why I couldn't get traffic to flow between them?

I think I figured out the issue, but I won't know for sure until our next maintenance window.
All the vlan interfaces on the Fortinet are sub-interfaces of the LACP-Trunk interface.  On the HP, I had the PVID set as 1 and allowed vlans set as all.  I think the issue is a vlan tagging issue.  The fortinet is expecting vlan 1 to have a tag, not just be the native vlan and the HP wasn't tagging vlan 1.  I tested by changing the PVID on the HP to 4094 and created a dummy LACP-Test interface on the Fortinet, with a sub-interface on vlan 1 that was an unused IP on the network.  Plug up the ports, the LACP comes up and I get pings across!  So I can't be 100% sure until our next maintenance window, but it looks like it was a vlan tagging issue. 

I'm attempting to replace my current firewall.  Right now, we've just got a single line running from the HP 1950 to the watchguard.  In order to build in some redundancy, I'm wanting to setup a LACP connection from the 1950 to the FortiGate.  As far as I can tell, everything is configured correctly. 

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all

1. interface Ten-GigabitEthernet1/0/1
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

1. interface Ten-GigabitEthernet1/0/4
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

The configuration on the Fortinet is correct.  In this case, I've got the LACP set as static, trying to bring it up, but I also tried with the LACP at Dynamic

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all
4. link-aggregation mode dynamic

But it was the same result.  I'd get a physical connection between the devices, but when I tried to ping from the 1950 to the FortiGate or from the FrotiGate to the 1950, I got no response.  Any idea why I couldn't get traffic to flow between them?

Hello Ktimm,

Thank you very much for your explanations. We are confident that the method you provided works perfectly and thank you very much for saving us from a major issue.

Best Regards.

I think I figured out the issue, but I won't know for sure until our next maintenance window.
All the vlan interfaces on the Fortinet are sub-interfaces of the LACP-Trunk interface.  On the HP, I had the PVID set as 1 and allowed vlans set as all.  I think the issue is a vlan tagging issue.  The fortinet is expecting vlan 1 to have a tag, not just be the native vlan and the HP wasn't tagging vlan 1.  I tested by changing the PVID on the HP to 4094 and created a dummy LACP-Test interface on the Fortinet, with a sub-interface on vlan 1 that was an unused IP on the network.  Plug up the ports, the LACP comes up and I get pings across!  So I can't be 100% sure until our next maintenance window, but it looks like it was a vlan tagging issue. 

I'm attempting to replace my current firewall.  Right now, we've just got a single line running from the HP 1950 to the watchguard.  In order to build in some redundancy, I'm wanting to setup a LACP connection from the 1950 to the FortiGate.  As far as I can tell, everything is configured correctly. 

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all

1. interface Ten-GigabitEthernet1/0/1
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

1. interface Ten-GigabitEthernet1/0/4
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

The configuration on the Fortinet is correct.  In this case, I've got the LACP set as static, trying to bring it up, but I also tried with the LACP at Dynamic

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all
4. link-aggregation mode dynamic

But it was the same result.  I'd get a physical connection between the devices, but when I tried to ping from the 1950 to the FortiGate or from the FrotiGate to the 1950, I got no response.  Any idea why I couldn't get traffic to flow between them?

After a bit of time I've learned that the "default" interface on a fortinet is located on the "Main" interface.  IE, let's say you've got something like
Port 1 - 172.16.0.0/24 (Vlan 7)
Port 1 (sub1) - 172.16.1.0/24 (Vlan 8)
Port 1 (sub2) - 172.16.2.0/24 (Vlan 9)

Then your "default vlan" or "native vlan" (whatever you want to call it) in the above case is Vlan 7.  It's the vlan that's on the "main" interface.  Now if you have something like this

Port 1- no ip assigned
port 1 (sub1) - 172.16.0.0/24 (vlan 7)
port 1 (sub2) - 172.16.1.0/24 (vlan 8)

Then you kind of don't have a "native vlan" on port 1, so if your native vlan on the other side is vlan 7, port1 (sub1) won't pick up that traffic.  You'll have to change the native vlan on the other side to something other than vlan 7, so that the other side will send vlan 7 as tagged traffic.

Hello Ktimm,

Thank you very much for your explanations. We are confident that the method you provided works perfectly and thank you very much for saving us from a major issue.

Best Regards.

I think I figured out the issue, but I won't know for sure until our next maintenance window.
All the vlan interfaces on the Fortinet are sub-interfaces of the LACP-Trunk interface.  On the HP, I had the PVID set as 1 and allowed vlans set as all.  I think the issue is a vlan tagging issue.  The fortinet is expecting vlan 1 to have a tag, not just be the native vlan and the HP wasn't tagging vlan 1.  I tested by changing the PVID on the HP to 4094 and created a dummy LACP-Test interface on the Fortinet, with a sub-interface on vlan 1 that was an unused IP on the network.  Plug up the ports, the LACP comes up and I get pings across!  So I can't be 100% sure until our next maintenance window, but it looks like it was a vlan tagging issue. 

I'm attempting to replace my current firewall.  Right now, we've just got a single line running from the HP 1950 to the watchguard.  In order to build in some redundancy, I'm wanting to setup a LACP connection from the 1950 to the FortiGate.  As far as I can tell, everything is configured correctly. 

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all

1. interface Ten-GigabitEthernet1/0/1
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

1. interface Ten-GigabitEthernet1/0/4
2. port link-type trunk
3. port trunk permit vlan all
4. port link-aggregation group 1

The configuration on the Fortinet is correct.  In this case, I've got the LACP set as static, trying to bring it up, but I also tried with the LACP at Dynamic

1. interface Bridge-Aggregation1
2. port link-type trunk
3. port trunk permit vlan all
4. link-aggregation mode dynamic

But it was the same result.  I'd get a physical connection between the devices, but when I tried to ping from the 1950 to the FortiGate or from the FrotiGate to the 1950, I got no response.  Any idea why I couldn't get traffic to flow between them?