Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpatil
Staff
Staff

Created on ‎10-05-2020 03:22 AM Edited on ‎02-13-2025 02:54 AM By Community Manager

Article Id 193797

Technical Tip: Managed FortiSwitch shows 'E=config sync error' flag or Config Download failed - sync-status=Sync-Error - login

Description


This article describes how to debug FortiGate not pushing new config to Manage FortiSwitch. 

Scope


FortiOS, FortiSwitch

Ensure FortiOS and FortiSwitch OS are running on compatible firmware versions as listed in FortiLink Compatibility matrix link below: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...

Solution


In general, the E flag refers the external VLANs created out of FortiGate instead of being configured via Fortilink. For an example, a VLAN has been created in FortiSwitch but not configured directly in FortiGate. FortiGate may or may not sync and not fully manage the VLAN. Also, if FortiGate managed VLANs are missing in FortiSwitch the sync error may appear as the VLAN was not syncing from FortiGate to FortiSwitch.

 

When FortiGate and FortiSwitch are running on incompatible firmware versions, the below command output may show the 'E=configuration sync error' flag:

 

execute switch-controller get-conn-status


Once verified firmware are compatible and if the issue of is still visible config not getting pushed and switch showing 'E' flag, follow below steps.

To verify if FortiGate is pushing new config to FortiSwitch – use below debug logs on FortiGate and FortiSwitch:

 

FortiGate:

 

diagnose debug application flcfgd -1
diagnose debug console timestamp enable
diagnose debug enable

 

FortiSwitch:

 

diagnose debug cli 8
diagnose debug console timestamp enable
diagnose debug enable

 

Sample log prints from FortiGate and FortiSwitch when the new FortiSwitch VLAN 30 is created on FortiGate for FortiSwitch.

 

FortiGate side logs:

 

553s:594ms:476us flcfg_configure_switch[5789]:Adding vlan for vlanid(30) vlan(30) switch(S124DP3X16008363) dhcp_snooping(0)
553s:644ms:108us flcfg_configure_switch[5819]:configured switch vlan(30) for S124DP3X16008363

 

FortiSwitch side logs:

 

0: config switch vlan
0: edit 30
0: set description "30"
0: end

 

FortiGate and FortiSwitch config sync commands:

 

execute switch-controller get-conn-status
execute switch-controller get-sync-status all      <- To check the reason why the switch is showing the 'E'flag.
diagnose switch-controller trigger config-sync <switch_id>   <- Try to trigger manual sync to the FortiSwitch showing E flag).      

 

For error "Config Download failed - sync-status=Sync-Error - login(null) fails;- 7624 - communicating with fortiswitch"  

Follow steps:

#config switch-controller system
#set tunnel-mode moderate<---Instead of Strict
#end

 

Note:

The FortiSwitch 1xx models allow enabling DHCP snooping on a maximum of 25 VLANs.

 

Therefore, on the FortiGate if the existing 25 VLANs already have DHCP snooping enabled then the 26th VLAN (DHCP snooping enabled) may not push to the FSW units (including Rugged 1xx series Switches) - this is expected. 

 

Related document:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/742bfeaa-71d0-11ed-8e6d-fa163e...

14404
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.