Skip to main content
riteshpv
Staff
riteshpv
Staff
November 12, 2024

Troubleshooting Tip: Unable to push new configurations to managed FortiSwitch after configuration changes

  • November 12, 2024
  • 0 replies
  • 1112 views
Description This article describes an issue encountered where configuration changes fail to push to a managed FortiSwitch after changing the HTTPS port on the FortiSwitch.
Scope FortiSwitch version v7.2 v7.4 v7.6.
Solution

Basic Understanding:

  • FortiSwitch devices can be managed by FortiGate, FortiSwitch Manager, or FortiCloud.
  • Management occurs over the internal interface (if using in-band management) or the management port (out-of-band management).
  • Access to manage FortiSwitch can also be set up via a Layer 3 interface (switch-virtual-interface (SVI)) or a dedicated management port.
  • The default management access uses HTTPS on port 443 and SSH on port 22.

 

Requirement: In some cases, security policies may require using non-standard ports for HTTPS (e.g., 4443 instead of 443).

 

Configuration Change: To change the HTTPS port, run the following command directly on a FortiSwitch to apply the configuration globally:

 

config system web
    set https-port 4443
end

 

After this change, FortiSwitch management (internal/SVI/management) becomes accessible only on the new HTTPS port (for example: 4443).

 

Consequence:

  • Applying this configuration causes synchronization issues for managed FortiSwitches, preventing any new configurations from being pushed by the manager.
  • On FortiGate/FortiSwitch Manager, this may show in results as a config sync (C/3C) or config sync error (E) flag.

Example FortiGate Command: Use the following command to review connection status:

 

Fortigate # execute switch-controller get-conn-status

SWITCH-ID        VERSION         STATUS       FLAG  ADDRESS          JOIN-TIME             SERIAL
S248EFTF1XXXXXX   v7.4.0 (767)  Authorized/Up  3C   1.1.1.4    Wed Nov 6 18:52:29 2024 S248EFTF1XXXXXX

 

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External

In debug logs on FortiGate, the sync error will be evident:

 

Debug command:

 

diagnose debug console timestamp enable
diagnose debug application flcfgd -1
diag debug enable

 

Example Error Message:

 

2024-11-12 16:00:33 396s:793ms:160us flcfg_remove_msw_sync_errors[1143]:No file /tmp/switch-controller/error-log/S248EFTF1XXXXXX to remove.

 

This error occurs because the manager, by default, uses port 443 (HTTPS) to push configurations to the managed FortiSwitch and cannot use a custom port (for example, port 4443), even if it is configured directly on the FortiSwitch.

 

Resolution:

  • Do not change the default HTTPS port when the FortiSwitch is managed. Reset the HTTPS port to the default as follows:

 

config system web
    set https-port 443
end

 

For more information on the protocols used to manage FortiSwitch, refer to Management-Protocols-for-FortiSwitch-discovery.
    Terms & ConditionsAccessibility statement