Explorer II

Solved

Configure fortilink for fortiswitch over wifi mesh

Forum|Forum|2 years ago
March 4, 2024
7 replies
10647 views

3/11/2024: I've made some progress and have updated my original post below as needed. Thank you very much, @Anthony_E, for continuing to look for support!

I know this topic has been covered, but I need help. I have a fortiswitch in a separate building from the main firewall and switch. I am trying to connect to that switch via fortilink, but each time I enable the fortilink-p2p on the REMOTE switch ports, my AP's go into a reboot cycle. Here's my configuration:

FG100F(port12) <-> (port23 via fortilink)Fortiswitch(port 7) <-> FAP432F <-> FAP432F <-> (port2)Fortiswitch(port3) <-> client

The VLAN for the APs is 10.

The VLAN for the client is 20.

Following these guides...

Technical Tip: FortiLink over P2P wireless bridge/... - Fortinet Community

FortiSwitch FortiSwitch Devices Managed by FortiOS 7.0 (fortinetweb.s3.amazonaws.com)

Fortilink Managed Switches over Wireless P2P Bridge – J's Stuff (jsstuff.com)

...I have done the below:

Remote switch:

# set fortilink-p2p-native-vlan 10 (I used VLAN 10 because that is the VLAN for the AP's)

# set fortilink-p2p enable on port2 of the switch

Remote (LEAF) AP:

# cfg -a MESH_ETH_BRIDGE=1
# cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094

# cfg -c

Main switch:

# set fortilink-p2p enable on port7 of the switch. The APs go into their reboot loops after I set this.

Questions:

1. ~~Am I supposed to run set fortilink-p2p-native-vlan 10 on BOTH switches? If yes, how will that affect the existing fortilink connection that switch has with firewall?~~ Already found this answer, it is yes.

2. Do I have to run the AP commands (cfg -a ... ) on the ROOT AP as well as the leaf? The guide does not mention the ROOT AP. The cfg -a MESH_ETH... commands mentioned above are not available until you convert your AP into a LEAF AP using cfg -a MESH_TYPE=1. If I do that, then I lose the ROOT AP. You can't have a MESH system without a ROOT. More on this below.

3. What am I missing?

***Today, 3/11/2024, I believe I've narrowed down the problem to the remote switch. I've worked with Fortinet Support who validated my configuration on all the devices. The problem I'm having is that as soon as I enable set fortilink-p2p enable on both switches, the APs start cycling. The ROOT AP will reset, as will the LEAFs. It will take several minutes for the ROOT to recover, a few more minutes for one or both LEAF APs to recover (there are 2 LEAFs total in this infra, but only one has a switch behind it). As soon as the LEAFs go green, the ROOT resets again, and then the LEAFs, rinse and repeat. I started eliminating variables and this is what I've found.

1. I can fully configure the firewall, main switch, and all APs and the wifi will not be affected. Here is the config.
Firewall

set switch-controller-source-ip fixed (setting suggested by Fortinet support)

set fortilink-p2p-native-vlan 200
set fortilink-vlan-optimization enable

Main Switch

set mgmt-vlan 4094 (default setting?)

set fortilink-p2p enable (on port7)

LEAF APs

cfg -a MESH_ETH_BRIDGE=1
cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094

2. After a factory reset of the REMOTE switch, the mgmt-vlan is set to 1 vice 4094. It needs to be set to 4094. The problem is, as soon as I set it to 4094, I lose direct access to the switch. I do not have physical access to the switch. I have a helper on site who connected a spare laptop to the switch on port 1. I remote into that spare laptop to configure the switch. As soon as I set mgmt-vlan 4094, I lose access. I cannot ssh back in using ssh admin@192.168.1.99. Does the IP change? The only option I have is to have my helper do a factory reset, which changes the mgmt-vlan back to 1. Fortinet Support says that has to be 4094. Can I simply change the mgmt-vlan to 1 for all devices?

I think my only option at this point, without traveling to the site and connecting via the console port for more debugging, is to configure and manage this switch as a standalone unit. What are your thoughts??

Thank you for your time and assistance.

Best answer by adrian_s_trem

After spending the entire day yesterday trying to get a fortiswitch enginner to assist me, I finally have the missing part. The engineer told me that the Fortinet article https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-over-P2P-wireless-bridge-mesh/ta-p/214925 is actually outdated and it is missing a key piece of information. One needs to add "set static-isl enable" on the trunk that is formed to the new switch like so:

"config switch trunk
    edit "2DPTD2300xxxx-0"
        set auto-isl 1
        set static-isl enable
        set members "port6"
    next
end"

Once you add that line, the remote switch that sits over the p2p bridge will come up online and STP will no longer interfere and block it.

I really hope fortinet will update that article..

UPDATE June 10 2024: Good news, the article linked above has been updated. There is another very import fact that needs to be taken into account. Both FortiAP units need to be running 7.2.2 as it is the only internally certified version to work in Mesh mode with P2P transparent bridge. Just keep in mind that as soon as you update your leaf AP to 7.2.2 and configure it to run as a transparent mesh, it will no longer be managed by the FortiGate. No clue how to fix this yet and I don't have time to investigate. But it does work.

Anthony_E

Staff

Hello Shawn,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Best Regards

Anthony_E

Staff

Hello Shawn,

We are still looking for someone to help you.

We will come back to you ASAP.

Regards,

Best Regards

Anthony_E

Staff

Hi Shawn,

I saw your update and will transfer it to one of our experts :)!

Regards!

Best Regards

shawn-evAuthor

Explorer II

Thank you for actively finding folks to help me. I really appreciate it!!

sachitdas_FTNT

Staff

Hi Shawn,

I recommend you work with TAC for the FAP crashing issue, this needs to be investigated.

Standalone mode could be an option..

shawn-evAuthor

Explorer II

Stupid question, is TAC different from the normal Fortinet Support channels?

I need to get this up and running asap so I'm going down the standalone path. Next time I'm on site I will investigate further.

Thank you!

sachitdas_FTNT

Staff

Hi Shawn,

It's the same thing. You can call us and raise a ticket.

https://fortinet.com/support-and-training/support/contact.html

wmiller203405

New Member

Shawn did you ever figure this out we have the exact same problem. When configuring the leaf switch in standalone mode the mesh wifi stays up. The second we configure fortilink it crashes the APs with the exact same behavior.

shawn-evAuthor

Explorer II

I was never able to make it work. I changed the infrastructure and removed the switch. I simply connected the endpoint directly to the AP then adjusted the firewall and VLAN rules. this works for us because I have only one hardwired endpoint on this AP.

I apologize for the delay in replying, I didn't see your question back in April. Did you ever find a solution to use the switch??

adrian_s_trem

Explorer

Having the EXACT same issue.. did you ever get this sorted out ?

shawn-evAuthor

Explorer II

I was never able to make it work. I changed the infrastructure and removed the switch. I simply connected the endpoint directly to the AP then adjusted the firewall and VLAN rules. This works for us because I have only one hardwired endpoint on this AP.

adrian_s_tremAnswer

Explorer

After spending the entire day yesterday trying to get a fortiswitch enginner to assist me, I finally have the missing part. The engineer told me that the Fortinet article https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-over-P2P-wireless-bridge-mesh/ta-p/214925 is actually outdated and it is missing a key piece of information. One needs to add "set static-isl enable" on the trunk that is formed to the new switch like so:

"config switch trunk
    edit "2DPTD2300xxxx-0"
        set auto-isl 1
        set static-isl enable
        set members "port6"
    next
end"

Once you add that line, the remote switch that sits over the p2p bridge will come up online and STP will no longer interfere and block it.

I really hope fortinet will update that article..

UPDATE June 10 2024: Good news, the article linked above has been updated. There is another very import fact that needs to be taken into account. Both FortiAP units need to be running 7.2.2 as it is the only internally certified version to work in Mesh mode with P2P transparent bridge. Just keep in mind that as soon as you update your leaf AP to 7.2.2 and configure it to run as a transparent mesh, it will no longer be managed by the FortiGate. No clue how to fix this yet and I don't have time to investigate. But it does work.

shawn-evAuthor

Explorer II

WOW! You deserve some frothy beverages for running this to ground. I wish the switch engineer I worked with was aware of that setting. I have messaged the moderator responsible for that Tech Tip article, referred to this thread, and asked him to update it.

@wmiller203405, please see the above post, you have to set static-isl enable on the trunk.

UPDATE June 10,2024. Thank you for passing on that critical info. We gain fortilink remote switch management but lose remote leaf AP management. Definitely not ideal, but at least we know.

wmiller203405

New Member

Shawn,

Unfortunately, there is a bug in the FortiAP-432FR device firmware which does not allow mesh mode to work at all. We actually installed UniFi p2p devices and were able to get the fortiswitches working over the wireless bridge with this info. We also had to enable the mgmt vlan on the the fortiswitch to get the gate to recognize it. Should look like the following.

config config

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded