Description
This article describes how to fix an issue where FortiSwitch shows as 'Offline' in the FortiGate unit under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.
Scope
FortiGate with FortiSwitch connected.
Solution
When this issue occurs, FortiSwitch is connected to FortiGate but does not work as expected.
Check the status in FortiGate under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.
Before proceeding, verify that the date, time, and timezone are the same as they are in the managing FortiGate. Mismatched times cause a large number of issues.
Use the following CLI command to check the FortiSwitch connection in FortiGate:
execute switch-controller get-conn-status <FortiSwitch_serial_number>
The result will appear as below (with the 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' error message).
Fortilink interface ... OK
FortiLink enabled
DHCP server ... OK
FortiLink enabled
NTP server ... FAIL
FortiLink not enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 192.168.0.1, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 15 seconds ago
No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx
CAPWAP
Remote Address : N/A
Status ... Idle
Note that the message 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' appears. In this case, S448ENTFxxxxxxxx is the FortiSwitch serial number.
Consider adding a 'FortiLink' interface to NTP settings as below to solve the issue.
Run the following CLI configuration:
config system ntp
get <----- To check if it has any interface settings before.
set interface “portxx” “portyy” “FortiLink”
end
In the above configuration, 'portxx' and 'portyy' are the old interface setting visible with the 'get' command.
FortiLink is the FortiLink interface that is added.
Furthermore, if the following error is observed after running the following command, follow the steps below:
execute switch-controller get-conn-status < FSW Serial Number>
Get managed-switch S248EFTF23009804 connection status:
Admin Status: Authorized
Connection: Idle
Diagnosing...
FGT can not detect S248EFTF23009804 at LAG.
Please Check FortiGate:
CAPWAP in LAG is enabled.
Please Check FortiSwitch:
1. S248EFTF23009804 is in FortiLink mode.
2. S248EFTF23009804 is managed via LAG.
3. Execute 'execute switch-controller diagnose-connection S248EFTF23009804' for further details.
Run the following command to check further:
execute switch-controller diagnose-connection < FSW Serial Number>
Fortilink interface ... OK
LAG enabled
DHCP server ... OK
LAG enabled
WARNING : NTP service for DHCP entry should be set to local mode .... please check config <-- (It is necessary to change the ntp server to 'local' in the FortiLink interface.)
NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 2 seconds ago
No CAPWAP IP address retrieved for FortiSwitch S248EFTF23009804
CAPWAP
Remote Address : N/A
Status ... Idle
In the configuration of the FortiLink interface, change the NTP server from 'Specify' to 'Local:
Also do check the interface setting on FortiGate for following:
config system interface
edit <interface name> <----- Ex : FortiLin.
set switch-controller-mgmt-vlan 4094 <----- By default it would be 4094.
end
This is because sometimes, the switch does not have a 4094 VLAN ID and it is possible to change it to 4093 on FortiSwitch and FortiGate.
Gain console access to FortiSwitch and run the following commands:
In FortiSwitch:
show switch auto-network
Configuration should look like this:
config switch auto-network
set mgmt.-vlan 4094 <-- 4094 is the default VLAN.
set status enable
Also, check this setting in Fortiswitch:
config switch interface
edit <interface connected to fortigate or fortiswitch>
show
If this setting appears:
unset allowed-vlans
Then change it to:
set allowed-vlans 4094
end
Restart the FortiSwitch and run the command again:
execute switch-controller diagnose-connection < FSW Serial Number>
Fortilink interface ... OK
LAG enabled
DHCP server ... OK
LAG enabled
NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 10.17.1.2 <-- The remote IP address.
Status ... CONNECTED
Last keepalive ... 26 seconds ago
PING 10.17.1.2 (10.17.1.2): 56 data bytes
64 bytes from 10.17.1.2: icmp_seq=0 ttl=64 time=0.7 ms
64 bytes from 10.17.1.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.17.1.2: icmp_seq=2 ttl=64 time=24.2 ms
64 bytes from 10.17.1.2: icmp_seq=3 ttl=64 time=3.0 ms
64 bytes from 10.17.1.2: icmp_seq=4 ttl=64 time=0.6 ms
--- 10.17.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/5.8/24.2 ms
The ping is successful, which means Fortiswitch is online. This can be verified from the GUI as well.
Additional Scenario
A new FortiSwitch is instead connected to another FortiSwitch that is already online, connected and in production (instead of directly to the FortiGate), AND the FortiGate is reporting similar troubleshooting outputs detailed above.
Scope
NEW FortiSwitch is connected to a preexisting FortiSwitch.
Solution
On the preexisting switch, review the configuration of the port that connects to the NEW switch. Specifically the LLDP Profile - and confirm it is set to: "default-auto-isl" or to a custom LLDP profile equivalent (see further below).
Note: isl = inter-switch-link
GUI:
WiFi & Switch Controller -> FortiSwitch Ports
By default, the LLDP Profile column is hidden.
To enable it, hover the mouse over the top most column titles and click the grey gear icon that appears. Select and enable LLDP Profile.
Then edit a column's value as you would any other setting:
CLI:
FGT # config switch-controller managed-switch
FGT (managed-switch) # edit <preexisting-switch-serial-number>
FGT (S224ABCD00000001) # config ports
FGT (ports) # edit <port#-that-connects-NEW-switch>
FGT (port1) # set lldp-profile default-auto-isl
FGT (port1) # end
FGT (S224ABCD00000001) # end
What changed?
Besides administrators previously changing this setting manually - in some production environments that are past their initial deployments, administrators may have implemented security recommendations found in Security Fabric -> Security Rating -> Optimization.
Specifically the Security Control named "Lockdown LLDP Profile" from the Optimization category. This is one marked with an EZ symbol that represents configuration recommendations that support Easy Apply.
If applied, as shown above, all the applicable port's LLDP profile setting is changed from their factory default setting or "default-auto-isl" to "default".
Custom LLDP profiles can be created and then set in the CLI too - thus you may need to apply your organization's custom profiles instead of the defaults discussed in this post.
Its then very important to note the differences between the two default profile's settings:
More on FortiGate CLI configurations for LLDP profiles:
