Troubleshooting Tip: Unable to push configured VLANs from FortiGate to managed FortiSwitch when allowed VLAN is set to 'ALL'
| Description | This article describes the errors observed on FortiGate when a FortiSwitch port is configured with allowed VLANs set to 'ALL'. |
| Scope | FortiSwitch v7.2 FortiGate (any version). |
| Solution | FortiGate GUI option to set FortiSwitch port:  Issue: On older versions, when FortiSwitch ports are configured with allowed VLANs = ALL, the following error will appear on FortiGate: FortiGate# execute switch-controller get-conn-status Managed-devices in current vdom root: FortiLink interface : fortilink SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME S108FPXXXXXXXX v7.2.7 (479) Authorized/Up E 172.17.2.2 Sat Aug 23 01:01:41 2025 - Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3 Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 24) FortiGate# execute switch-controller get-sync-status all Managed-devices in current vdom root: FortiLink interface : fortilink SWITCH (NAME) STATUS CONFIG MAC-SYNC HTTP-UPGRADE S108FPXXXXXXXX Up Error - - [1] payload: { "json": { "discard-mode": "none", "allowed-vlans": "4093 4091 4090 4092 4089 4088 30 20 10 55 8 31 32 33 34 35 36 37 " } } result : { "http_method":"PUT", "status":"error", "http_status":400, "vdom":"root", "path":"switch", "name":"interface", "mkey":"port2", "cmdb-index":"626", "cmdb-checksum":"18090615568083149156", "serial":"S108FPXXXXXXXX ", "version":"v7.2.7", "build":479, "timestamp":"2025-08-22T13:49:38Z" } [2] payload: { "json": { "discard-mode": "none", "allowed-vlans": "1 4093 4091 4090 4092 4089 4088 20 10 55 8 31 32 33 34 35 36 37 " } } result : { "http_method":"PUT", "status":"error", "http_status":400, "vdom":"root", "path":"switch", "name":"interface", "mkey":"port5", "cmdb-index":"626", "cmdb-checksum":"18090615568083149156", "serial":"S108FPXXXXXXXX ", "version":"v7.2.7", "build":479, "timestamp":"2025-08-22T13:49:39Z" } On the FortiSwitch, running debug while applying VLANs shows the indication (-9999), which means the configuration is not saved: S108FPXXXXXXXX # diagnose debug cli 8 S108FPXXXXXXXX # diagnose debug enable S108FPXXXXXXXX # 0: config switch physical-port 0: edit "port2" 0: unset link-status 0: end 0: config switch interface 0: edit "port2" 0: unset allowed-vlans 0: set allowed-vlans 8,10,20,30-37,55,4088-4093 -9999: end 0: config switch physical-port 0: edit "port3" 0: unset link-status 0: end 0: config switch interface 0: edit "port3" 0: unset allowed-vlans 0: set allowed-vlans 8,10,20,30-37,55,4088-4093 0: end 0: config switch interface 0: edit "port3" 0: config port-security 0: end 0: end 0: config switch physical-port 0: edit "port5" 0: unset link-status 0: end 0: config switch interface 0: edit "port5" 0: unset allowed-vlans 0: set allowed-vlans 1,8,10,20,31-37,55,4088-4093 -9999: end Observation: This issue occurs when the configuration is applied on FortiSwitch ports where RPVST+ is enabled. Note: If 'ALL' is set on ports without RPVST+, the VLAN configuration is pushed successfully. Example (problematic config): S108FPXXXXXXXX # show switch interface port5 config switch interface edit "port5" set native-vlan 30 set allowed-vlans 1,8,10,20,31-34,55,4088-4093 set untagged-vlans 4093 set rpvst-port enabled set auto-discovery-fortilink enable set snmp-index 5 next Root Cause: In FortiSwitch v7.2.7, ports with RPVST+ enabled are limited to 16 VLANs. Refer to the v7.2.7 administration guide. Resolution:
|