This article highlights an issue that occurs when FortiGate tries to manage multiple switches in a specific topology configuration.
|Scope||FortiGate and FortiSwitch.|
The issue occurs in the following topology configuration:
- FortiLink interface type: 802.3ad aggregate
- FortiLink split interface: Enabled
- FortiLink neighbor detect: FortiLink
# config system interface
set fortilink-split-interface enable
set fortilink-neighbor-detect fortilink
FortiSwitch1 is successfully discovered and shows as online on FortiGate after authorization. However, despite how FortiSwitch3 is still operational, the FortiGate is unable to recognize it: it shows as offline. Upon attempting to manually add it using its serial number in the FortiGate, the FortiSwitch still displays as offline.
Since FortiSwitch1 and FortiSwitch3 are not physically connected, the Active FortiLink cannot discover the LLDP messages coming from FortiSwitch3 in the figure above. As a result, LLDP messages cannot be negotiated by FortiGate's 802.3ad aggregate interface with FortiSwitch3 and brought up for authorization on FortiGate.
Since the Standby FortiLink is administratively down and only utilized for redundancy, it will not handle any CAPWAP traffic and is therefore unsuitable for receiving LLDP traffic on the FortiGate.
To fix this, FortiSwitch units must be linked together in a ring-like or 'daisy-chain' topology using inter-switch links (ISL) or must be connected with an Ethernet cable. This physical topology change will resolve the issue. See the diagram below:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.