We have a Fortigate 100E running FortiOS 6.2.3 with two FSW 448D switches.

The switches are connected via four Gigabit ports each to the Fortigate (no 10G interface in the 100E) using "set fortilink-split-interface disable" to activate all 8 ports in a single MCLAG to both switches simultaneously.

The Switch-interlink is using two of the 10G ports, the other two 10G ports on each switch is used to connect to VM-host and Storage. This was running fine with FortiSwitch OS 6.0.something (.3 or .5 IIRC).

This Saturday I upgraded the Fortiswitches to 6.2.3 to match the Fortigate's OS version. Upgrade went smooth but we have experienced massive problems since then, troubleshooting shows the following:

1) Packetloss (around 10%) on the Fortilink interface for all traffic (native, CAPWAP and VLANs). The CAPWAP connection between FSW and FGT was also affected, going down and up again repeatedly.

2) Duplicate packets on fortilink (exec ping <fortiswitch> shows DUP packets, also around 10%)

3) Packet-loss on both PPPoE Internet uplinks (two, yes I would rather have non-PPPoE real internet, but you take what you get).

note: We have one 50/1MBit ADSL link with PPPoE and external modem as well as a fiber 1000BaseBX10 symmetric 500MBps (bandwidth throttling on provider side) PPPoE uplink bundled into a simple SDWAN interface.

Workaround: I found a workaround and will downgrade to 6.0.9 after working hours. The workaround appears to be: enable split-interface, thus turning the 8GBit LACP MC-LAG port channel uplink between Switches and Firewall back into a single 1G uplink with 7 backup ports. Since both Storage VLAN and Client VLAN are routed through the Firewall, this is not a desired topology.

My guess at this point is that LACP is broken on fortilink in 6.2.3 and that this caused CPU stress on the Fortigate (it's CPU is quite busy doing 550Mbit/s combined PPPoE).

Anyone with similar problems?