Troubleshooting Tip: SFP/SFP+ transceivers port/fiber link is not coming up

Description

This article describes steps to perform when SFP/SFP+ fiber link is not coming up.

Scope

FortiSwitch and FortiGate.

Solution

Things to check if the SFP/SFP+ link is not coming up.

1. Ensure that a compatible transceiver is used. Download the file 'Compatible Transceivers' from the link below, or contact support to verify if the transceiver is supported or not. 
2. FortiGate models have specific ports dedicated to SFP/SFP+ and might not work if misused.
   Some ports are shared (for example, RJ45 and SFP combo); only one can be used at a time.
   Check the model’s hardware guide : 
   FortiSwitch - Compatible Transceivers
   
   
3. Try to set the speed setting manually on both sides.

• For example, some higher-end switch models will have speed set to 'auto-module' by default on the SFP/SFP+ ports, whereas lower-end models like 1xx and 2xx series do not support auto-module.
  

When auto-module speed detection is enabled, the system reads information from the module and sets the port speed to the maximum speed that is advertised by the module. If the system encounters a problem when reading from the module, it sets the default speed (the default value is platform-specific).

When the auto-module sets the speed, the system creates a log entry noting this speed.

Note: Auto-speed detection is supported on 1/10G ports, but not on higher-speed ports (such as 40G).

• Another point to check is that some FortiSwitches do not support SFP+/10-Gig link and only support SFP (1Gig), so this FortiSwitch is connected to a higher-end FortiSwitch that supports SFP+, make sure that the speed is set to 1000auto or 1000full on both sides.
  Check regarding SFP/SFP+ support in the switch QuickStart guide.
  Hardware
  
  
• Configuring port speed:
  

Standalone switch:

S248E # config switch physical-port

S248E (physical-port) # edit port52
S248E (port52) # set speed

1000auto    Auto-negotiation (1Gbps full-duplex only).
1000full    1Gbps full-duplex.
auto        Auto-negotiation.

S248E (port52) # end

Managed Switch: (The below change is only for the switches which is authorized UP on the FortiGate).

FG200E (root) # config switch-controller managed-switch
FG200E (managed-switch) # edit <switch_serial#>
FG200E (switch_serial#) # config ports
FG200E (ports) # edit port52
FG200E (port52) # set speed
1000auto    Auto-negotiation (1G full-duplex only).
1000full    1G full-duplex
auto        Auto-negotiation.

FG200E (port52) # end
FG200E (switch_serial#) # end

3. Verify if the link comes up if the cables are connected back to back on the same FortiSwitch. For example: connecting a cable from port52 to port51 on the same FortiSwitch.
   
   

4. Collect the following outputs from both switches:
   
   

get switch modules detail <port#>   <----- This command describes the transceiver.

Port(port10)
identifier       SFP/SFP+
connector        LC
transceiver      1000-Base-SX
encoding         8B/10B
Length Decode Common
 length_smf_1km  N/A
 length_cable    N/A
SFP Specific
 length_smf_100m N/A
 length_50um_om2 300 meter
 length_62um_om1 150 meter
 length_50um_om3 N/A
vendor           
vendor_oid       
vendor_pn        
vendor_rev       
vendor_sn        
manuf_date    

get switch modules limits <port#>      <----- This command indicates at what limit, there will be an SFP alarm and warning raised.

For example, if the light inside the fiber cable is received (rx power) at a poor dBm value, i.e., greater than the limit shown in the alarm, then the SFP link will not come up.

In such scenarios, test with a different SFP module or fiber cable, or test on a different SFP port to segregate the source of the issue.

Port(port10)
                     Alarm        ||       Warning
            |   High   |   Low    ||   High   |  Low
temperature | 110.0000 | 216.0000 ||  93.0000 | 226.0000 C
voltage     |   3.6000 |   3.0000 ||   3.5000 |   3.1000 V
laser_bias  |   1.3000 |   0.1000 ||   1.2500 |   0.2000 mA
tx_power    |   0.0000 | -13.4969 ||  -2.9999 |  -9.5001 dBm
rx_power    |   0.4999 | -21.0237 ||  -1.0002 | -16.9897 dBm

get switch modules status <port#>    <----- In this command, as an example, see that the rx_power is very poor -25dBm, which exceeds the alarm limit, so the link will not come up and the SFP port will show in the alarm state.

Port(port10)

temperature      37.886719 C
voltage          3.310100 volts
alarm_flags      0x0040
warning_flags    0x0040
laser_bias       0.654400 mAmps
tx_power         -5.132862 dBm
rx_power         -25.086384 dBm
options          0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status   0x000C ( RX_LOSS TX_POWER_LEVEL1 )

get switch modules summary <port#>

  Portname   State    Type       Transceiver    RX  Vendor           Part Number      Serial Number
  __________ _______  _______    ____________   ___ ________________ ________________ ______________  
  port10     ALARM   SFP/SFP+    1000-Base-SX       

Check the FortiSwitch logs to see if there is any alarm raised:

execute log filter view-lines 1000
execute log display
..
type=event subtype=link pri=critical vd=root user="admin" msg="Slot 0 Port 10, DMI_RX_POWER_LOW Alarm Raised"

diagnose switch physical-ports summary <port#> <- To check the port status.

  Portname    Status  Tpid  Vlan  Duplex  Speed  Flags       Discard
  __________  ______  ____  ____  ______  _____  __________  _________

  Port10       down    8100  1     full    1G       ,  ,      none  

diagnose debug report
show full-config

5. Make sure that the FEC state is negotiated properly.

   
   FGT200E# diagnose hardware deviceinfo nic port13
   ...
   link_fec :Off (0x2)
   link_fec_cap :Off,RS,BaseR (0x1c)   -->  Reed-Solomon (FEC CL91).
   
   

   FSW # diagnose switch physical-ports list port1
   ...
   Interface Type is Copper Reach (CR), FEC is Clause74 --->  Fire-Code (FEC CL74).

Note: To see LR4, SR4, and CR4 media types, the port speed needs to be set to 100Gfull. 
See Technical Tip: Setting FortiGate port media type.

In some cases, FEC is disabled on the FortiGate interface while the FortiSwitch is trying to negotiate the FEC algorithm. With this setup, the fiber interface on the FortiGate and FortiSwitch will show as down. In this case, this can be set manually on both FortiSwitch and FortiGate interfaces, as shown below.

FortiOS: 

config system interface
    edit "portxx"
....
        set forward-error-correction (cl74-fc-fec /cl91-rs-fec/disable)
...
    next
end

FortiSwitch:

config switch physical-port
    edit "portxx"
        set fec-state (cl74/cl91/detect-by-module/disabled)
    next
end

6. Gather details like when and from where the module was purchased, take a picture of the SFP module, and the length of the cable, and feel free to contact support with all the above information for further assistance.

Related articles:

• Technical Tip: Port speed configuration for DAC (Direct Attach Copper) cable
• Technical Tip: Recommended Port speed configuration for SR (short range) SFP cable
• Technical Tip: Recommended port speed configuration when using copper SFP module 1000-Base-T

Additional steps for troubleshooting:

• Check whether  SFP or SFP+ transceivers are used, and slots for SFP and SFP+ modules look exactly the same.
• Additionally, run the below commands to check the transceiver's status.

get sys interface transceiver

get sys interface transceiver <affected_port>

diagnose hardware deviceinfo nic <affected_port>

show system interface <affected_port>

If there is a Cisco device on the other side, try to disable auto-negotiation on that device.

As they are the same size, the SFP transceiver will fit seamlessly into an SFP+ switch port and vice versa.

However, the connection will not work as expected. It may not work at all.

If an SFP device is plugged into an SFP+ port, the speed will be locked at 1 Gbps.

Plugging an SFP+ module into an SFP port delivers no results at all, as the 10G transceiver can never auto-negotiate to 1Gbps.

• Remove the SFP module. Inspect for physical damage to the connector, the module, and the module slot.
• Replace the SFP module with a known good SFP module if available.
• Try installing it in another SFP port if available to see if the problem persists or goes away. If it goes away, it could be an issue with the port on the firewall. In that case, create a TAC ticket and post the details.
• Check that the optic cable is in good shape.
• Use an optical power meter: it can verify the transmit power of an SFP and fiber. It can identify or locate a fault on the transceiver or fiber. 

Related article for configuring speed on SFP:

Troubleshooting Tip: Verify FortiGate Configuration for SFP Transceivers