FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff
Article Id 197303

Description

 

This article describes how to fix an issue where FortiSwitch shows as 'Offline' in the FortiGate unit under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.

Scope


FortiGate with FortiSwitch connected.

Solution

 

When this issue occurs, FortiSwitch is connected to FortiGate but does not work as expected.

Check the status in FortiGate under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.

 

Before proceeding, verify that the date, time, and timezone are the same as they are in the managing FortiGate. Mismatched times cause a large number of issues.

 

Use the following CLI command to check the FortiSwitch connection in FortiGate:

 

execute switch-controller get-conn-status <FortiSwitch_serial_number>

 

The result will appear as below (with the 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' error message).

 

Fortilink interface ... OK
FortiLink enabled

DHCP server ... OK
FortiLink enabled

NTP server ... FAIL
FortiLink not enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 192.168.0.1, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data

HA mode Active-Passive... enabled

Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 15 seconds ago

 

No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx
CAPWAP
Remote Address : N/A
Status ... Idle

 

Note that the message 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' appears. In this case, S448ENTFxxxxxxxx is the FortiSwitch serial number.

Consider adding a 'FortiLink' interface to NTP settings as below to solve the issue.

Run the following CLI configuration:

 

config system ntp

get                <----- To check if it has any interface settings before.
    set interface “portxx” “portyy” “FortiLink”
end

 

In the above configuration, 'portxx' and 'portyy' are the old interface setting visible with the 'get' command.
FortiLink is the FortiLink interface that is added.


Furthermore, if the following error is observed after running the following command, follow the steps below:

 

execute switch-controller get-conn-status < FSW Serial Number>


Get managed-switch S248EFTF23009804 connection status:
Admin Status: Authorized
Connection: Idle


Diagnosing...
FGT can not detect S248EFTF23009804 at LAG.
Please Check FortiGate:
CAPWAP in LAG is enabled.
Please Check FortiSwitch:
1. S248EFTF23009804 is in FortiLink mode.
2. S248EFTF23009804 is managed via LAG.
3. Execute 'execute switch-controller diagnose-connection S248EFTF23009804' for further details.

 

Run the following command to check further:


execute switch-controller diagnose-connection < FSW Serial Number>


Fortilink interface ... OK
LAG enabled

DHCP server ... OK
LAG enabled
WARNING : NTP service for DHCP entry should be set to local mode .... please check config <-- (It is necessary to change the ntp server to 'local' in the FortiLink interface.)

NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data

HA mode Active-Passive... enabled


Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 2 seconds ago


No CAPWAP IP address retrieved for FortiSwitch S248EFTF23009804
CAPWAP
Remote Address : N/A
Status ... Idle

 

In the configuration of the FortiLink interface, change the NTP server from 'Specify' to 'Local:

 

Picture1.png

 

Also do check the interface setting on FortiGate for following:

 

config system interface

    edit <interface name> <----- Ex : FortiLin.

        set switch-controller-mgmt-vlan 4094 <----- By default it would be 4094.

    end

 

This is because sometimes, the switch does not have a 4094 VLAN ID and it is possible to change it to 4093 on FortiSwitch and FortiGate.

 

Gain console access to FortiSwitch and run the following commands:

 

Also check if VCI is configured correctly under the DHCP server setting on Fortigate if Fortiswitch sending the DHCP offer but not getting the IP address from Fortigate.

 

config system dhcp server

    edit <id> <----- Ex : the dhcp id

        set vci-string FortiSwitch 

    end


In FortiSwitch:


show switch auto-network

 

Configuration should look like this:


config switch auto-network

set mgmt.-vlan 4094 <-- 4094 is the default VLAN.

set status enable

 

Picture2.png

 

 

Also, check this setting in Fortiswitch:

 

config switch interface
    edit <interface connected to fortigate or fortiswitch>
show

 

If  this setting appears:

 

unset allowed-vlans

 

Then change it to:

 

set allowed-vlans 4094

end

 

Restart the FortiSwitch and run the command again:

 

execute switch-controller diagnose-connection < FSW Serial Number>


Fortilink interface ... OK
LAG enabled

DHCP server ... OK
LAG enabled

NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

HA mode Active-Passive... enabled


Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago


CAPWAP
Remote Address: 10.17.1.2 <-- The remote IP address.
Status ... CONNECTED
Last keepalive ... 26 seconds ago


PING 10.17.1.2 (10.17.1.2): 56 data bytes
64 bytes from 10.17.1.2: icmp_seq=0 ttl=64 time=0.7 ms
64 bytes from 10.17.1.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.17.1.2: icmp_seq=2 ttl=64 time=24.2 ms
64 bytes from 10.17.1.2: icmp_seq=3 ttl=64 time=3.0 ms
64 bytes from 10.17.1.2: icmp_seq=4 ttl=64 time=0.6 ms

--- 10.17.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/5.8/24.2 ms

 

The ping is successful, which means Fortiswitch is online. This can be verified from the GUI as well.

 

Picture3.png