Technical Tip: Description of the behaviour MC-LAG FortiSwitches showing offline in the FortiGate GUI when using 'export-to'

GeorgeZhong · ‎06-16-2025

Description

This article describes a FortiGate Switch-Controller GUI behaviour that two FortiSwitches in MC-LAG mode are showing one online and one offline in all tenant VDOMs when having FortiSwitch ports in a multi-tenant VDOM setup.

Scope

FortiGate v7.4.7 and lower, v7.2.11 and lower, v7.6, FortiSwitch MC-LAG ports in multi-tenant VDOM setup

Solution

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations.

For the FortiSwitch managed by the FortiGate switch-controller, its ports can be shared to different VDOMs on the FortiGate. Detailed information can be found in the FortiSwitch document: Multitenancy and VDOMs

Example.

Topology:

FortiGate 1101E <<<<<< FortiLink ("port33" "port34") >>>>> Two FortiSwitch 1048E in MCLAG mode.

There are two tenant VDOMs ('test1' and 'test2'). VLAN20 and VLAN30 vlan-subinterfaces on the FortiLink interface are respectively assigned to each VDOM.

config system interface
    edit "VLAN20"
        set vdom "test1"
        set ip 192.168.20.1 255.255.255.0
        set allowaccess ping https http
        set device-identification enable
        set role lan
        set snmp-index 45
        set ip-managed-by-fortiipam disable
        set interface "fortilink"
        set vlanid 20
    next
end

config system interface
    edit "VLAN30"
        set vdom "test2"
        set ip 192.168.30.1 255.255.255.0
        set allowaccess ping https http
        set device-identification enable
        set role lan
        set snmp-index 46
        set ip-managed-by-fortiipam disable
        set interface "fortilink"
        set vlanid 30
    next
end

port2 and port3 on these two FortiSwitches are respectively exported to these two VDOMs, while port1 is exported to the 'root' VDOM. Configuration is as below:

config switch-controller managed-switch
    edit "S548DF5019000759"
        set sn "S548DF5019000759"
        set fsw-wan1-peer "fortilink"
        set fsw-wan1-admin enable
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 48
        set dynamic-capability 0x00000000000000000404ff7d3dfdfdf7
        config ports
            edit "port1"
                set ptp-status disable
                set poe-capable 1
                set vlan "_default"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr 04:d5:90:21:e7:32
            next
            edit "port2"
                set poe-capable 1
                set export-to "test1"
            next
            edit "port3"
                set poe-capable 1
                set export-to "test2"
            next

edit "S548DF5018000074"
        set sn "S548DF5018000074"
        set fsw-wan1-peer "fortilink"
        set fsw-wan1-admin enable
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 48
        set dynamic-capability 0x00000000000000000404ff7d3dfdfdf7
        config ports
            edit "port1"
                set ptp-status disable
                set poe-capable 1
                set vlan "_default"
                set allowed-vlans "quarantine"
                set untagged-vlans "quarantine"
                set export-to "root"
                set mac-addr 70:4c:a5:96:2c:fa
            next
            edit "port2"
                set poe-capable 1
                set export-to "test1"
            next
            edit "port3"
                set poe-capable 1
                set export-to "test2"
            next

When this is configured, both FortiSwitches will appear in the root and each tenant VDOM. In Fthe ortiGate root VDOM, both switches are showing online in the GUI.

However, in each tenant VDOM, one FortiSwitch is showing online, and the other one is showing offline.

However, by looking at the connection status on the 'test1' and 'test2' VDOMs, both FortiSwitches are showing up:

FortiGate-200E (test2) # execute switch-controller get-conn-status
Managed-devices in current vdom test2:

FortiLink interface : fortilink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL
S548DF5018000074(virtual) Authorized/Up - S548DF5018000074
S548DF5018000074 v7.2.7 (479) Authorized/Up 2 10.255.1.3 Mon May 26 23:13:40 2025 S548DF5018000074

         Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External
         Managed-Switches: 2 (UP: 2 DOWN: 0 MAX: 64)

FortiGate-200E (test1) # execute switch-controller get-conn-status
Managed-devices in current vdom test1:

FortiLink interface : fortilink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL
S548DF5019000759(virtual) Authorized/Up - S548DF5019000759
S548DF5018000074 v7.2.7 (479) Authorized/Up 2 10.255.1.3 Mon May 26 23:13:40 2025 S548DF5018000074

         Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External
         Managed-Switches: 2 (UP: 2 DOWN: 0 MAX: 64)

Under System -> Firmware & Registration in the Global VDOM, duplicated FortiSwitch entries are observed as well, which is not expected.

This is the FortiOS GUI issue and does not impact the traffic coming from FortiSwitch ports in these tenant VDOMs.

This issue appears in all v7.2, v7.4 lower than v7.4.8 and v7.6.0 due to known engineering ID 1034470.

After upgrading to v7.4.8 or v7.6.1, this issue is resolved. Expected behaviours in v7.4.8 are as follows:

Technical Tip: Description of the behaviour MC-LAG FortiSwitches showing offline in the FortiGate GUI when using 'export-to'

You are leaving our website