Troubleshooting Tip: Fix FortiSwitch showing with the 'Offline' status

caunon · ‎09-30-2021

Description

This article describes how to fix an issue where FortiSwitch shows as 'Offline' in the FortiGate unit under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.

Scope

FortiGate with FortiSwitch connected.

Solution

When this issue occurs, FortiSwitch is connected to FortiGate but does not work as expected.

Check the status in FortiGate under Security Fabric -> Physical Topology -> FortiSwitch -> Status: Offline.

With the factory default settings, the FortiLink interface will be as below:

config system interface
    edit "fortilink"
        set vdom "root"
        set fortilink enable
        set ip 10.255.1.1 255.255.255.0
        set allowaccess ping fabric
        set type aggregate
        set member "a" "b"
        set lldp-reception enable
        set lldp-transmission enable
    next
end

If the 'set fortilink' option was disabled previously via GUI or CLI, it is required to re-enable it, and this is possible only via the CLI. Otherwise, FortiSwitches will not synchronize.

To re-enable it:

config system interface
    edit "fortilink"
        set fortilink enable
    next
end

When the "FortiLink" feature is disabled, the 'Dedicated to FortiSwitch' will not be visible in the GUI:

Mismatched times cause a large number of issues. Before proceeding, verify on the FortiSwitch side that the date, time, and timezone are the same as they are in the managing FortiGate:

diagnose system ntp status <--

execute date

execute time

show system ntp

Use the following CLI command to check the FortiSwitch connection in FortiGate:

execute switch-controller get-conn-status <FortiSwitch_serial_number>

The result will appear as below (with the 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' error message).

Fortilink interface ... OK
FortiLink enabled

DHCP server ... OK
FortiLink enabled

NTP server ... FAIL
FortiLink not enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 192.168.0.1, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:2
no data

HA mode Active-Passive... enabled

Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 15 seconds ago

No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx
CAPWAP
Remote Address : N/A
Status ... Idle

Note that the message 'No CAPWAP IP address retrieved for FortiSwitch S448ENTFxxxxxxxx' appears. In this case, S448ENTFxxxxxxxx is the FortiSwitch serial number.

Consider adding a 'FortiLink' interface to NTP settings as below to solve the issue.

Run the following CLI configuration:

config system ntp

get <- To check if it has any interface settings before.
set interface “portxx” “portyy” “FortiLink”
end

In the above configuration, 'portxx' and 'portyy' are the old interface setting visible with the 'get' command.
FortiLink is the FortiLink interface that is added.

Furthermore, if the following error is observed after running the following command, follow the steps below:

execute switch-controller get-conn-status < FortiSwitch Serial Number>

Get managed-switch S248EFTF23009804 connection status:
Admin Status: Authorized
Connection: Idle

Diagnosing...
FGT can not detect S248EFTF23009804 at LAG.
Please Check FortiGate:
CAPWAP in LAG is enabled.
Please Check FortiSwitch:
1. S248EFTF23009804 is in FortiLink mode.
2. S248EFTF23009804 is managed via LAG.
3. Execute 'execute switch-controller diagnose-connection S248EFTF23009804' for further details.

Run the following command to check further:

execute switch-controller diagnose-connection < FortiSwitch Serial Number>

Fortilink interface ... OK
LAG enabled

DHCP server ... OK
LAG enabled
WARNING : NTP service for DHCP entry should be set to local mode .... please check config <- (It is necessary to change the NTP server to 'local' in the FortiLink interface.)

NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data
ipv4 server(ntp1.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:9
no data

HA mode Active-Passive... enabled

Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 2 seconds ago

No CAPWAP IP address retrieved for FortiSwitch S248EFTF23009804
CAPWAP
Remote Address : N/A
Status ... Idle

In the configuration of the FortiLink interface, change the NTP server from 'Specify' to 'Local:

Also do check the interface setting on FortiGate for following:

config system interface

edit <interface name> <- Ex : FortiLink.

set switch-controller-mgmt-vlan 4094 <- By default, it would be 4094.

end

This is because sometimes, the switch does not have a 4094 VLAN ID and it is possible to change it to 4093 on FortiSwitch and FortiGate.

Verify that the FortiLink interface IP address is correct (for example, the Interface IP should not be 169.254.1.1 if the DHCP server is enabled on the FortiLink interface) and that the DHCP range is within the same range as the interface IP.

Gain console access to FortiSwitch and run the following commands:

Also check if VCI is configured correctly under the DHCP server setting on Fortigate if FortiSwitch sending the DHCP offer but not getting the IP address from Fortigate.

config system dhcp server

edit <id> <- For example: the DHCP ID.

set vci-match enable

set vci-string FortiSwitch

end

In FortiSwitch:

show switch auto-network

The configuration should look like this:

config switch auto-network

set mgmt.-vlan 4094 <- 4094 is the default VLAN.

set status enable

Also, check this setting in FortiSwitch:

config switch interface
edit <interface connected to fortigate or fortiswitch>
show

If this setting appears:

unset allowed-vlans

Then change it to:

set allowed-vlans 4094

end

Restart the FortiSwitch and run the command again:

execute switch-controller diagnose-connection < FortiSwitch Serial Number>

Fortilink interface ... OK
LAG enabled

DHCP server ... OK
LAG enabled

NTP server ... OK
LAG enabled
NTP server sync ... OK
HA primary: yes, HA primary ip: 169.254.0.2, management_vfid: 0 ha_direct=0, ha_mgmt_vfid=-1
synchronized: no, ntpsync: enabled, server-mode: enabled

HA mode Active-Passive... enabled

Fortilink
Status ... SWITCH_AUTHORIZED_READY
Last keepalive ... 1 seconds ago

CAPWAP
Remote Address: 10.17.1.2 <-- The remote IP address.
Status ... CONNECTED
Last keepalive ... 26 seconds ago

PING 10.17.1.2 (10.17.1.2): 56 data bytes
64 bytes from 10.17.1.2: icmp_seq=0 ttl=64 time=0.7 ms
64 bytes from 10.17.1.2: icmp_seq=1 ttl=64 time=0.6 ms
64 bytes from 10.17.1.2: icmp_seq=2 ttl=64 time=24.2 ms
64 bytes from 10.17.1.2: icmp_seq=3 ttl=64 time=3.0 ms
64 bytes from 10.17.1.2: icmp_seq=4 ttl=64 time=0.6 ms

--- 10.17.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.6/5.8/24.2 ms

The ping is successful, which means FortiSwitch is online. This can be verified from the GUI as well.

Related article:

Technical Tip: How to add/connect FortiSwitch to FortiGate on any interface

Troubleshooting Tip: Fix FortiSwitch showing with the 'Offline' status

You are leaving our website