| Symptoms: - Configuration synchronization from FortiGate to FortiSwitch fails.
- Running the following command on FortiGate may show errors similar to the example below:
FortiGate # execute switch-controller get-sync-status all Managed-devices in current vdom root: FortiLink interface : FortiLink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
FortiSwitch1 Up Error Error - [1]
command: https://10.255.3.5:443/api/v2/login
payload:
result : REST API login failed with error 28 - In some cases, the CONFIG and MAC-SYNC status may remain in the Sync state:
FortiGate # execute switch-controller get-sync-status all Managed-devices in current vdom root: FortiLink interface : FortiLink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
FortiSwitch1 Up Sync Sync -
Cause:
- If trusted host restrictions are configured on FortiSwitch for administrative access, the FortiLink subnet must be included in the trusted host list.
- FortiGate connects to FortiSwitch using the FortiLink IP address and administrative credentials to authenticate and push configuration. If the FortiLink subnet is not included in the trusted hosts configuration, the REST API login attempt fails, preventing configuration synchronization.
- By default, the system administrator configuration does not restrict access and allows connections from all IP addresses.
Example default configuration from FortiSwitch: config system admin
edit "admin"
set trusthost1 0.0.0.0 0.0.0.0
set trusthost2 0.0.0.0 0.0.0.0
set trusthost3 0.0.0.0 0.0.0.0
set trusthost4 0.0.0.0 0.0.0.0
set trusthost5 0.0.0.0 0.0.0.0
set trusthost6 0.0.0.0 0.0.0.0
set trusthost7 0.0.0.0 0.0.0.0
set trusthost8 0.0.0.0 0.0.0.0
set trusthost9 0.0.0.0 0.0.0.0
set trusthost10 0.0.0.0 0.0.0.0
set ip6-trusthost1 ::/0
set ip6-trusthost2 ::/0
set ip6-trusthost3 ::/0
set ip6-trusthost4 ::/0
set ip6-trusthost5 ::/0
set ip6-trusthost6 ::/0
set ip6-trusthost7 ::/0
set ip6-trusthost8 ::/0
set ip6-trusthost9 ::/0
next
end
Resolution:
- If trusted host restrictions are configured on FortiSwitch, ensure that the FortiLink subnet is included in the trusted host configuration.
Example. FortiGate configuration: show system interface fortilink config system interface edit "fortilink"
set vdom "root"
set vrf 0
set fortilink enable
set mode static
set ip 10.255.3.1 255.255.255.0
next
end - The FortiLink subnet in this example is 10.255.3.0/24.
FortiSwitch trusted host configuration: show system admin admin config system admin
edit "admin"
set trusthost1 10.255.3.0 255.255.255.0
set trusthost2 192.168.2.0 255.255.255.0
set trusthost3 192.168.1.0 255.255.255.0
set trusthost4 0.0.0.0 0.0.0.0
set trusthost5 0.0.0.0 0.0.0.0
set trusthost6 0.0.0.0 0.0.0.0
set trusthost7 0.0.0.0 0.0.0.0
set trusthost8 0.0.0.0 0.0.0.0
set trusthost9 0.0.0.0 0.0.0.0
set trusthost10 0.0.0.0 0.0.0.0
set ip6-trusthost1 ::/0
set ip6-trusthost2 ::/0
set ip6-trusthost3 ::/0
set ip6-trusthost4 ::/0
set ip6-trusthost5 ::/0
set ip6-trusthost6 ::/0
set ip6-trusthost7 ::/0
set ip6-trusthost8 ::/0
set ip6-trusthost9 ::/0
next
end
Related article:
Config synchronization issue with REST API login failure: Troubleshooting Tip: Config sync issue, REST API login failed with error 28. | 
