Skip to main content
sj3fk3
sj3fk3
Visitor III
January 28, 2026
Question

Fortiswitch MCLAG 1024E daemon l2dbg killed messages

  • January 28, 2026
  • 5 replies
  • 633 views

Hi,

 

We are investigating a strange failover issue with managed FortiSwitches by a HA pair of Fortigates 601F. 

 

We are having strange issues with traffic loss if we failover to the passive Fortigate. The issues are only on vlan's were we have intra vlan blocking enabled. If we disable this feature everything is working fine. 

 

The problem is that we have traffic loss from the clients to the gateway/fortigate for 2 minutes and 30 seconds after failover. Support found out that the mac adress for that Fortigate vlan is learned on the wrong trunks. 

 

We have switches in a ring connected to a pair of 1024E MCLAG core switches. 

 

I'm analyzing this issue and in the core switches logging I see the following messages during the failover/issue:

 

10: 2026-01-08 10:14:49 log_id=0103030700 tz=+0100 type=event subtype=system pri=information vd=root action
="daemon-startup" user="init" ui="None" daemon="l2dbg" pid="2589" msg="Daemon l2dbg started"
11: 2026-01-08 10:14:48 log_id=0103030701 tz=+0100 type=event subtype=system pri=information vd=root action
="daemon-shutdown" ui="None" user="init" daemon=l2dbg pid=2486 msg="Daemon l2dbg shut down"

 

In the diagnose debug crashlog read I see the following:

268: 2025-11-07 11:09:03 the killed daemon is /bin/l2dbg: status=0x0
269: 2025-11-07 11:12:59 the killed daemon is /bin/l2dbg: status=0x0
270: 2025-11-07 11:14:04 the killed daemon is /bin/l2dbg: status=0x0
271: 2025-11-07 11:14:09 the killed daemon is /bin/l2dbg: status=0x0
272: 2025-11-07 11:15:32 the killed daemon is /bin/l2dbg: status=0x0
273: 2025-11-07 11:15:37 the killed daemon is /bin/l2dbg: status=0x0
274: 2025-11-07 11:21:28 the killed daemon is /bin/l2dbg: status=0x0
275: 2025-11-07 11:22:34 the killed daemon is /bin/l2dbg: status=0x0
276: 2025-11-07 11:22:37 the killed daemon is /bin/l2dbg: status=0x0
277: 2025-11-07 12:45:07 the killed daemon is /bin/l2dbg: status=0x0
278: 2025-11-07 12:46:12 the killed daemon is /bin/l2dbg: status=0x0
279: 2025-11-07 12:46:19 the killed daemon is /bin/l2dbg: status=0x0

 

Are these messages normal? (Please ignore time difference between event log and crashlog. I don't have the corresponding crashlog and events on this computer. but the output is the same. I will upload the corresponding ones tomorrow)

 

FortiGate is at 7.4.9 and FortiSwitches are at 7.6.4. 

 

Thanks for your help!

5 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
January 31, 2026

Hello sj3fk3, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
February 2, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
February 3, 2026

Hello again sj3fk3,

 

I found this answer. Can you tell us if it helps, please?

 

You are experiencing traffic loss during failover to the passive FortiGate in an HA pair, specifically on VLANs where intra-VLAN blocking is enabled. The issue seems to be related to MAC address learning on the wrong trunks, which causes a delay in traffic recovery.

Observations from Logs

  1. Daemon Logs: The logs indicate that the l2dbg daemon is frequently starting and stopping. This could be indicative of an issue with the Layer 2 debugging process, which might be affecting MAC address learning and VLAN operations.

  2. Crash Logs: The crash logs show multiple instances of the l2dbg daemon being killed. This is not typical behavior and suggests that there might be an underlying issue with the daemon that could be contributing to the failover problem.

Potential Causes

  • Intra-VLAN Blocking: The feature might be interfering with the normal MAC address learning process during failover, causing the MAC addresses to be learned on incorrect trunks.

  • Daemon Instability: The instability of the l2dbg daemon could be affecting the switch's ability to correctly manage Layer 2 processes, including MAC address learning and VLAN management.

Recommendations

  1. Review Intra-VLAN Blocking Configuration: Double-check the configuration of intra-VLAN blocking to ensure it is set up correctly and not causing unintended side effects during failover.

  2. Investigate Daemon Stability: Look into the reasons for the frequent restarts of the l2dbg daemon. This might involve checking for known issues in the current firmware version or consulting Fortinet support for further diagnostics.

  3. Firmware Updates: Ensure that both the FortiGate and FortiSwitch firmware are up to date. Sometimes, upgrading to the latest firmware can resolve known bugs and improve system stability.

  4. Consult Fortinet Support: Given the complexity of the issue and the potential for it to be a bug, it might be beneficial to open a support ticket with Fortinet for a more in-depth analysis.

Follow-Up

  • Logs and Diagnostics: When you have access to the corresponding logs and events, review them for any additional clues or patterns that might help in diagnosing the issue.

  • Testing: Consider testing the failover process in a controlled environment to replicate the issue and gather more data.

 

If you need further assistance or have additional information to provide, feel free to reach out.

Jean-Philippe - Fortinet Community Team
sj3fk3
sj3fk3Author
Visitor III
February 4, 2026

Hi Jean-Philippe_P,


Thanks for your explanations and recommendations.


Recommendations

Review Intra-VLAN Blocking Configuration:

I have checked, but this is just a checkmark on the VLAN from the FortiGate to enable or disable. Nothing more to configure.

Investigate Daemon Stability:

I don't see anything else in the log beside the logging I have already provided.

Firmware Updates:

I don't see anything in the release notes for the FortiSwitch and FortiGate firmware regarding this issue. We are now on the releases that support told us to upgrade to. I check the release notes daily. Upgrading is not a problem. The Fortigate and FortiSwitches are not yet in production till this issue is solved.

Consult Fortinet Support:

The first support case for this is already created 3 months ago. First a case was issued to the FortiGate team, and they created a spin-off ticket with the FortiSwitch team. This was already 2,5 months ago.. Still no clue what the issue is.


Testing:

We can test everything because it's not in production till this issue is solved.

ibrahim54
ibrahim54
New Member
March 26, 2026

Hi sj3fk3,

 

Can you find a solution for this problem ?

Regards

sj3fk3
sj3fk3Author
Visitor III
March 27, 2026

Hi Ibrahim, 

 

After taking captures and doing some port mirroring I found out that the secondary fortigate is sending out an ARP annoucement before it's rebooting.

 

I showed the issue to Bill Hoang from Fortinet over a remote session and he was able to reproduce the issue in the lab. The Engineering team found out the root cause and they are working now on a fix. the recommended workaround is to increase the value of hb‑lost‑threshold to around 30. (Default is 6)

After the workaround I don't see the ARP annoucements anymore and my failover is now working a lot better. Only taking around 7 seconds because the treshold is increased. But this is expected. They are still working on the final fix. 

I did not received any more information if this is only applicable to the 601F FortiGate or also other models. I'm also not sure which versions are impacted. But at least 7.4.7, 7.4.8, 7.4.9, 7.4.11 and 7.6.6 which I'm running now. 


I don't have any bug id yet.

adir_net
adir_net
New Member
March 26, 2026

Hi,

I might be mistaken but set aside from the crashlog

If you failover it takes time and it's learning from the wrong trunks, on some high ends switches it takes time for them to clear their mac addresses  you might need to simulate a link failure

can you maybe try and run

config system ha

set link-failed-signal enable

end

 

 

 

sj3fk3
sj3fk3Author
Visitor III
March 27, 2026

Hi Adir, 

 

After taking captures and doing some port mirroring I found out that the secondary fortigate is sending out an ARP annoucement before it's rebooting.

 

I showed the issue to Bill Hoang from Fortinet over a remote session and he was able to reproduce the issue in the lab. The Engineering team found out the root cause and they are working now on a fix. the recommended workaround is to increase the value of hb‑lost‑threshold to around 30. (Default is 6)

After the workaround I don't see the ARP annoucements anymore and my failover is now working a lot better. Only taking around 7 seconds because the treshold is increased. But this is expected. They are still working on the final fix. 

I did not received any more information if this is only applicable to the 601F FortiGate or also other models. I'm also not sure which versions are impacted. But at least 7.4.7, 7.4.8, 7.4.9, 7.4.11 and 7.6.6 which I'm running now. 


I don't have any bug id yet.

Terms & ConditionsAccessibility statement