New Member

Question

Fortigate 100F 10G interface with FN-TRAN-SFP+SR not comming up

Forum|Forum|1 year ago
May 15, 2025
9 replies
4628 views

Dear All,

I have following connection:

CIsco Switch - SFP-10G-SR - om3 MMF cable 3 meter - FN-TRAN-SFP+SR - FortiGate 100F, X2 port.

Previewsly I used SFP-10G-SR on both devices, link was worked, bot after installing FN-TRAN-SFP+SR link goes down.

I have more then one FN-TRAN-SFP+SR, but same result for all modules.

Does anyone knows why these SFP-s do not wan to takl with each other?

Thanks in advance.

FortiGate

funkylicious

SuperUser

hi,

that's quite strange. could it be that you have manually set on Cisco side the port to speed 10G and on FGT side auto-negotiation is enabled and thus failing? do you have any logs on the Cisco side or just the generic link down log?

try setting the speed manually of the interface on the FGT.

"jack of all trades, master of none"

MMGEAuthor

New Member

Hi,

Thanks for response.

Here are configuration fragments:

Cisco:

interface Port-channel4

description TO_FGT100_DMZ
switchport trunk allowed vlan XXXXXXXXXX
switchport mode trunk
logging event trunk-status
logging event bundle-status
logging event spanning-tree

interface TenGigabitEthernet1/0/4
description PO_4
switchport trunk allowed vlan XXXXXXXXXX
switchport mode trunk
logging event trunk-status
logging event bundle-status
logging event spanning-tree
channel-protocol lacp
channel-group 4 mode active

interface TenGigabitEthernet2/0/4
description PO_4
switchport trunk allowed vlan XXXXXXXXXX
switchport mode trunk
logging event trunk-status
logging event bundle-status
logging event spanning-tree
channel-protocol lacp
channel-group 4 mode active

FGT:

config system interface
edit "PortChanX1-X2"
set vdom "root"
set allowaccess ping fgfm fabric
set type aggregate
set member "x1" "x2"
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set monitor-bandwidth enable
set role dmz
set snmp-index 36
set ip-managed-by-fortiipam disable
next
end

I can't see any error log on Cisco side.

funkylicious

SuperUser

try setting the speed on x1 manually to 10G, as per https://community.fortinet.com/t5/FortiGate/Technical-Tip-Changing-the-speed-of-a-FortiGate-interface/ta-p/195894

"jack of all trades, master of none"

MMGEAuthor

New Member

Interfaces configured as in document.

Same result.

Device FW version is 7.6.2

Here is an output of command:

diagnose hardware deviceinfo nic x2
Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :100F
lif id :19
lif oid :83
netdev oid :83
Current_HWaddr e8:ed:d6:06:46:0a
Permanent_HWaddr e8:ed:d6:06:46:0b
========== Link Status ==========
Admin :up
netdev status :down
autonego_setting :0
link_setting :1
speed_setting :10000
duplex_setting :1
Speed :0
Duplex :N/A
link_status :Down
============ Counters ===========
Rx Pkts :4410131036
Rx Bytes :418971399797
Tx Pkts :6645923932
Tx Bytes :4639186005759
Host Rx Pkts :4168129286
Host Rx Bytes :242665272510
Host Tx Pkts :5468641402
Host Tx Bytes :3924345036636
Host Tx dropped :0
FragTxCreate :0
FragTxOk :0
FragTxDrop :0
sw_rx_pkts :4410125157
sw_rx_bytes :460194850472
sw_rx_mc_pkts :10429313
sw_rx_bc_pkts :357267
sw_tx_pkts :6645915121
sw_tx_bytes :4669819690962
sw_tx_mc_pkts :962052
sw_tx_bc_pkts :450013

AEK

SuperUser

Hi MMGE

I don't have much knowledge in SFPs but if it can help I already faced same issue where some third party SFP+ (on Huawei router) was not compatible with Fortinet's SFP+. We fixed it by changing the third party SFP+ by another brand.

AEK

MMGEAuthor

New Member

Thanks for response, AEK,

As I mentioned in first post, when I install Cisco SFP-10G-SR in both devices, link of port-channel goes up, and I used it previously, but in FortiGate GUI there is an warning message, so I decided to plug there required SFP - Fortinet FN-TRAN-SFP+SR, after this link goes down.

Toshi_Esumi

SuperUser

While FGTs generally don't care much about SFP/SFP+ manufacturers, Cisco devices check the vendor ID in the SFP/SFP+ and reject if it's not Cisco compatible one. You likely need to have a Cisco compatible SFP+ on its end. The FN-TRANS ones might not be accepted by the Cisco.

Toshi

MMGEAuthor

New Member

Hi,

Thanks for response.

My topology is:

Cisco Switch with installed SFP-10G-SR,

FGT100F with installed FN-TRAN-SFP+SR and OM3 MMF between them.

These communication have a problem - link status on cisco switch is noconnect.

Before I used SFP-10G-SR sfp-s installed in both devices, and they worked perfect.

Toshi_Esumi

SuperUser

The first config you showed had Port-channel/Link aggregation is configured. Are you saying Ten1/0/4 - X1 comes up but Ten1/0/5 - X2 doesn't come up?
Then what kind of warning did you get when it had a SFP-10G-SR on X2 before?

Toshi

MMGEAuthor

New Member

I try to show it:

You can see interfaces status on image below. Now installed Cisco SFPs in all devices.

When I chane SFP on FGT, one of interface of Cisco switch goes down.

Cisco interfaces.png forti interfaces.png

trhs1101

New Member

Hi,

What does the 'show log' command say on the Cisco Switch, you can filter this by interface, as an example.

'show log | i 1/0/20'

Unplug the cables/transceivers first and then do the show log to get fresh, relevant logs.

Is Spanning Tree enabled? If so, exclude the ports that are aggregated from it.

MMGEAuthor

New Member

Here is a log from yesterday:

Interface status is noconnect.

When port goes UP, Cisco SFP inserted in FGT.

May 15 10:02:39.854: %LINK-5-CHANGED: Interface TenGigabitEthernet2/0/4, changed state to administratively down
May 15 10:02:50.160: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 12:39:51.189: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/0/4 removed
May 15 13:20:07.266: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 15 13:20:13.751: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to up
May 15 13:20:15.254: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 13:20:23.338: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 13:20:24.744: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 13:20:31.963: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 13:20:32.463: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 13:20:32.956: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 13:20:33.964: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 13:23:53.940: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/0/4 removed
May 15 13:25:00.595: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 15 13:25:09.729: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to up
May 15 13:25:11.230: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 13:25:17.421: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 13:25:18.744: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 14:02:15.378: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 14:02:16.056: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:02:16.373: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 14:02:19.580: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:02:27.846: %ETC-5-L3DONTBNDL2: Te2/0/4 suspended: LACP currently not enabled on the remote port.
May 15 14:03:08.859: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:03:12.561: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:03:19.187: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 14:03:20.500: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 14:04:02.791: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 14:04:03.475: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:04:03.786: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 14:04:07.002: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:04:15.392: %ETC-5-L3DONTBNDL2: Te2/0/4 suspended: LACP currently not enabled on the remote port.
May 15 14:04:53.623: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:04:57.151: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:05:04.299: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 14:05:05.504: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 14:05:56.718: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 14:05:57.698: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 14:06:53.822: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 14:06:54.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 14:40:03.264: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 14:40:03.902: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:40:04.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 14:40:07.428: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:40:15.476: %ETC-5-L3DONTBNDL2: Te2/0/4 suspended: LACP currently not enabled on the remote port.
May 15 14:43:49.681: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 14:43:53.209: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 15 14:43:59.036: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 15 14:44:00.367: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 15 17:31:54.681: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 15 17:31:55.181: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 15 17:31:55.672: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 15 17:31:56.682: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 18:03:53.743: %LINK-5-CHANGED: Interface TenGigabitEthernet2/0/4, changed state to administratively down
May 15 18:04:03.611: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 18:05:27.707: %LINK-5-CHANGED: Interface TenGigabitEthernet2/0/4, changed state to administratively down
May 15 18:05:35.428: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 18:07:29.268: %LINK-5-CHANGED: Interface TenGigabitEthernet2/0/4, changed state to administratively down
May 15 18:07:37.657: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 15 18:42:46.951: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/0/4 removed
May 15 18:42:58.190: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 16 08:09:12.422: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 16 08:13:58.484: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 16 08:39:24.080: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to up
May 16 08:39:25.583: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 16 08:39:33.914: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 16 08:39:35.276: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up
May 16 09:29:30.761: %ETC-5-UNBUNDLE: Interface Te2/0/4 left the port-channel Po4
May 16 09:29:31.263: %DTP-5-NONTRUNKPORTON: Port Te2/0/4 has become non-trunk
May 16 09:29:31.753: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to down
May 16 09:29:32.762: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to down
May 16 09:30:40.831: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/0/4 removed
May 16 09:30:49.009: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 16 09:31:19.061: %PLATFORM_PM-6-MODULE_REMOVED: SFP module with interface name Te2/0/4 removed
May 16 09:31:26.574: %PLATFORM_PM-6-MODULE_INSERTED: SFP module inserted with interface name Te2/0/4
May 16 09:36:01.878: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/0/4, changed state to up
May 16 09:36:03.381: %DTP-5-TRUNKPORTON: Port Te2/0/4 has become dot1q trunk
May 16 09:36:09.551: %ETC-5-BUNDLE: Interface Te2/0/4 joined port-channel Po4
May 16 09:36:10.681: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet2/0/4, changed state to up

MMGEAuthor

New Member

Case update:

FN-TRAN-SFP+SR can work with SFP-10G-SR-S on another side, but with SFP-10G-SR can't.

Any solution with this?

Toshi_Esumi

SuperUser

An SFP+ has to be compatible with the local switch, if local switch checks the vendor ID. But once signals get on the fiber, it's in 10GBASE-SR standard and it doesn't matter what vender's SFP+ terminates.

If the warning you get at the FGT when Cisco compatible SFP+ is used is just "not FN-TRAN" while it's working fine, I would just ignore the warning. You should be just fine.

If you still want to use FN-TRAN-SFP+SR, try another FN-TRAN-SFP+SR. Unless the distance is close to the max 300m, bad SFP+ would be the only explanation.

Toshi

sferoz

Staff

Can you try the same using FN-TRAN-SFP+SR with loop back connection in FGT and confirm the status.
Please confirm the FGT firmware information along with below logs:
get sys interface transceiver

Some additional KB for reference :
https://community.fortinet.com/t5/FortiSwitch/Troubleshooting-Tip-SFP-SFP-transceivers-port-fiber-link-is-not/ta-p/193940
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Verify-FortiGate-Configuration-for-SFP/ta-p/194757

MMGEAuthor

New Member

This sfp works with Cisco SFP-10G-SR-S, link and port-channel comes up, but Cisco switch interface blinking with green and amber lights. I have 12 PC of Fortinet SFP, and their behavior are same.

I also tried manually configure speed and duplex setting both side and tested multiple cables with no luck.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded