Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seyuboglu
Staff
Staff

Created on ‎02-05-2025 06:00 AM Edited on ‎03-02-2025 11:39 PM By Community Manager

Article Id 374091

Troubleshooting Tip: How to troubleshoot npu0_vlink configuration is lost after upgrading to v7.2.9 from v7.0.x

Description This article describes how to troubleshoot the VDOM link that is lost after upgrading to v7.2.9 or 7.2.10 from or through the v7.0.14.
Scope FortiGate v7.0.
Solution

This issue is reported when the device is in multi-vdom mode and VDOM links are in use to transfer traffic between different VDOMs and an upgrade is performed from the version 7.0.14 to the version 7.2.9 or 7.2.10.  

 

In this example device is in version 7.0.14, multi-vdom is enabled and two VDOM links are in use between two VDOMs named 'Root' and 'LAN'.  

 

Before the upgrade, the example device output is shown below : 

 

FortiGate (global) # get sys status
Version: FortiGate-201F v7.0.14,build0601,240206 (GA.M)

 

FortiGate (global) # config system global
set vdom-mode multi-vdom

 

FortiGate (global) # config system interface

    edit "npu0_vlink0"       <--- npu0_vlink0 is in Root VDOM.
        set vdom "root"          
        set ip 172.16.1.1 255.255.255.252
        set allowaccess ping
        set type vdom-link   
        set snmp-index 26
    next

    edit "npu0_vlink1"    <--- npu0_vlink1 is in LAN VDOM.
        set vdom "LAN"         
        set ip 172.16.1.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 27

 

The issue starts after upgrading to version 7.2.9 and higher (not reported below v7.2.9, If the device is upgraded to v7.2.7 or v7.2.8, it will not be triggered).

 

After the upgrade, the example output is shown as below: 

 

FortiGate (global) # diagnose debug config-error-log read
ffdb_app_map_process-3336: wrong word 3516
ffdb_app_map_process-3336: wrong word 196
ffdb_app_map_process-3336: wrong word 193
ffdb_app_map_process-3336: wrong word 190
ffdb_app_map_process-3336: wrong word 46
ffdb_app_map_process-3336: wrong word 191
>>> "next" @ global.system.interface.npu0_vlink0:failed command (error 1)
>>> "next" @ global.system.interface.npu0_vlink1:failed command (error 1)
>>> "set" "interface" "npu0_vlink1" @ LAN.firewall.sniffer.3:value parse error (error -3)
>>> "set" "device" "npu0_vlink1" @ LAN.router.static.1:value parse error (error -651)
>>> "next" @ LAN.router.static.1:failed command (error 1)
>>> "edit" "npu0_vlink1" @ LAN.router.multicast.interface:value parse error (error -3)
ffdb_map_flash_read: ret=-5, Error: version error
ffdb_map version mismatch, the Internet Service Database will automatically update
init_do_ffdb_map: ret=-3, Error: internal error
FortiGate (global) #

VDOMs are not lost. They are still visible in the configuration file. 

 

config vdom
    edit root
    next
    edit LAN
    next
end

 

However, VDOM link configurations are lost. 

 

FortiGate (global) # config system interface

    edit "npu0_vlink0"   <--- npu0_vlink0 is in Root VDOM.
        set vdom "root"       <--- IP addresses and all other configurations are deleted.
        set type physical
        set snmp-index 26
    next
    edit "npu0_vlink1"     <--- npu0_vlink1 is in Root VDOM.
        set vdom "root"        <--- IP addresses and all other configurations are deleted.
        set type physical
        set snmp-index 27
    next

 

The workaround to fix this problem is described below. 

 

  1. Download the 7.0 configuration file from the Top Right Corner of the GUI.
    Go to admin -> Configuration -> Backup and save it to the local computer.

 

Technical Tip: How to download FortiGate configuration file & Debug log from GUI

 

  1. Edit the previously saved configuration file.
    For each npu0_vlink0 and npu0_vlink1, change the interface type from 'vdom-link' to 'physical'.

     

     

From the v7.0 backup configuration file : 

 

    edit "npu0_vlink0"      
        set vdom "root"        
        set ip 172.16.1.1 255.255.255.252
        set allowaccess ping
        set type physical     <------ Change this line manually in the configuration file.
        set snmp-index 26
    next

    edit "npu0_vlink1"     
        set vdom "LAN"          
        set ip 172.16.1.2 255.255.255.252
        set allowaccess ping
        set type physical     <------ Change this line manually in the configuration file.

        set snmp-index 27

 

 

  1. Upgrade the device from the Top Right Corner of the GUI.
    Go to admin -> System -> Fabric Management, upgrade the device to the target version of one of the v7.2/7.4 firmware.

     

     

It is recommended to check the upgrade path from the link below before applying any upgrade on the device. 

 Upgrade Path Tool Table

 

 

  1. After the upgrade is done, configuration loss is expected related to VDOM-Links. 

  2. Upload the modified configuration file onto the device in version 7.2/7.4. 

  3. The device will reboot and open with VDOM links and the previous configuration. 

 

In newer versions, the default (and only valid) interface type for a npu_vlink interface became physical.
326
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.