|
This issue occurs when a FortiLink-enabled interface's allowaccess configuration includes any protocols other than ping and fabric. This was possible in previous firmware versions, but is not permitted in v7.4. After upgrading to v7.4, the FortiLink-enabled interface is lost, and any configured VLAN or FortiSwitch referencing the interface is also lost.
For example:
config system interface
edit "fortilink"
set vdom "root"
set fortilink enable <----- Can affects any interface with fortilink enabled, not just the default.
set ip 10.255.1.1 255.255.255.0
set allowaccess ping https ssh fabric
next
end
Upgrading the device to v7.4 will cause this interface to be lost and generate additional errors visible with the command 'diagnose debug config-error-log read':
diagnose debug config-error-log read
>>> "next" @ global.system.interface.fortilink:failed command (error 1)
>>> "set" "interface" "fortilink" @ global.system.interface.default.fortilink:failed command (error -651)
>>> "next" @ global.system.interface.default.fortilink:failed command (error 1)
>>> "set" "interface" "fortilink" @ global.system.interface.vlan002.fortilink:failed command (error -651)
...
In v7.2, it is not possible to change the allowaccess settings manually on FortiLink-enabled interfaces, see the article Troubleshooting Tip: FortiLink error message after interface changing. For this reason, modifying the configuration file directly is required to resolve this issue.
Preventing the issue before the upgrade:
- Download a full configuration backup using an administrator with the super_admin profile, see Configuration backups and reset
- Modify the configuration manually using a text editor as follows. For any system. interface entry with 'set fortilink enable', replace the existing allowaccess line with 'set allowaccess ping fabric'. Do not modify any other configuration line.
config system interface
edit "fortilink_name"
...
set fortilink enable <-- if this line is present, ensure allowaccess is set correctly for the interface.
...
set allowaccess ping fabric
...
next
end
- Restore configuration during a maintenance window. Note that restoring a configuration backup to an HA cluster causes a simultaneous device reboot.
- Upgrade to the intended firmware version.
Restoring a lost FortiLink interface if the device was already upgraded:
For physical devices permitting rollback to the previous v7.2, revert to the previous firmware and configuration following the article Technical Tip: Selecting an alternate firmware for the next reboot and follow the prevention steps above.
For virtual devices, revert to a VM snapshot taken before the upgrade if available and follow the prevention steps above.
If it is not possible to revert the device to the previous v7.2 safely, an administrator may modify a v7.2 configuration file to include the correct 'set allowaccess ping fabric' configuration and restore it to the device with v7.4 firmware.
Uploading a configuration taken on a different firmware version can introduce errors, and it may be necessary to correct any additional errors showing in 'diagnose debug config-error-log read' manually.
|
