Description
This article describes how to fix an issue where FortiSwitch shows as 'Offline' in the FortiGate unit under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.
Scope
FortiGate with FortiSwitch connected.
Solution
When this issue occurs, FortiSwitch is connected to FortiGate but does not work as expected.
Check the status in FortiGate under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.
Before proceeding, verify that the date, time, and timezone are the same as they are in the managing FortiGate. Mismatched times cause a large number of issues.
Use the following CLI command to check the FortiSwitch connection in FortiGate:
execute switch-controller get-conn-status <FortiSwitch_serial_number>
The result will appear as below (with the 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' error message).
Fortilink interface ... OK
FortiLink enabled
DHCP server ... OK
FortiLink enabled
NTP server ... FAIL
FortiLink not enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 192.168.0.1, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 15 seconds ago
No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx
CAPWAP
Remote Address : N/A
Status ... Idle
Note that the message 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' appears. In this case, S448ENTFxxxxxxxx is the FortiSwitch serial number.
Consider adding a 'FortiLink' interface to NTP settings as below to solve the issue.
Run the following CLI configuration:
config system ntp
get <----- To check if it has any interface settings before.
set interface “portxx” “portyy” “FortiLink”
end
In the above configuration, 'portxx' and 'portyy' are the old interface setting visible with the 'get' command.
FortiLink is the FortiLink interface that is added.
Furthermore, if the following error is observed after running the following command, follow the steps below:
execute switch-controller get-conn-status < FSW Serial Number>
Get managed-switch S248EFTF23009804 connection status:
Admin Status: Authorized
Connection: Idle
Diagnosing...
FGT can not detect S248EFTF23009804 at LAG.
Please Check FortiGate:
CAPWAP in LAG is enabled.
Please Check FortiSwitch:
1. S248EFTF23009804 is in FortiLink mode.
2. S248EFTF23009804 is managed via LAG.
3. Execute 'execute switch-controller diagnose-connection S248EFTF23009804' for further details.
Run the following command to check further:
execute switch-controller diagnose-connection < FSW Serial Number>
Fortilink interface ... OK
LAG enabled
DHCP server ... OK
LAG enabled
WARNING : NTP service for DHCP entry should be set to local mode .... please check config <-- (It is necessary to change the ntp server to 'local' in the FortiLink interface.)
NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 2 seconds ago
No CAPWAP IP address retrieved for FortiSwitch S248EFTF23009804
CAPWAP
Remote Address : N/A
Status ... Idle
In the configuration of the FortiLink interface, change the NTP server from 'Specify' to 'Local:
Also do check the interface setting on FortiGate for following:
config system interface
edit <interface name> <----- Ex : FortiLin.
set switch-controller-mgmt-vlan 4094 <----- By default it would be 4094.
end
This is because sometimes, the switch does not have a 4094 VLAN ID and it is possible to change it to 4093 on FortiSwitch and FortiGate.
Gain console access to FortiSwitch and run the following commands:
Also check if VCI is configured correctly under the DHCP server setting on Fortigate if Fortiswitch sending the DHCP offer but not getting the IP address from Fortigate.
config system dhcp server
edit <id> <----- Ex : the dhcp id
set vci-string FortiSwitch
end
In FortiSwitch:
show switch auto-network
Configuration should look like this:
config switch auto-network
set mgmt.-vlan 4094 <-- 4094 is the default VLAN.
set status enable
Also, check this setting in Fortiswitch:
config switch interface
edit <interface connected to fortigate or fortiswitch>
show
If this setting appears:
unset allowed-vlans
Then change it to:
set allowed-vlans 4094
end
Restart the FortiSwitch and run the command again:
execute switch-controller diagnose-connection < FSW Serial Number>
Fortilink interface ... OK
LAG enabled
DHCP server ... OK
LAG enabled
NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled
HA mode Active-Passive... enabled
Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago
CAPWAP
Remote Address: 10.17.1.2 <-- The remote IP address.
Status ... CONNECTED
Last keepalive ... 26 seconds ago
PING 10.17.1.2 (10.17.1.2): 56 data bytes
64 bytes from 10.17.1.2: icmp_seq=0 ttl=64 time=0.7 ms
64 bytes from 10.17.1.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.17.1.2: icmp_seq=2 ttl=64 time=24.2 ms
64 bytes from 10.17.1.2: icmp_seq=3 ttl=64 time=3.0 ms
64 bytes from 10.17.1.2: icmp_seq=4 ttl=64 time=0.6 ms
--- 10.17.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/5.8/24.2 ms
The ping is successful, which means Fortiswitch is online. This can be verified from the GUI as well.
