Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff
Staff

Created on ‎10-04-2024 04:33 AM Edited on ‎11-18-2024 07:14 AM By Moderator

Article Id 345729

Troubleshooting Tip: FortiSwitch in FortiLink mode randomly deleted from Inventory View

Description This articles describes how to investigate cases where FortiSwitches in FortiLink mode are disappearing from FortiNAC Inventory.
Scope FortiNAC, FortiNAC-F.
Solution

This issue is presented when there are FortiLink instabilites and disconnections between FortiGate and FortiSwitches.

FortiNAC will collect FortiLink information by polling FortiGate which then reports the link state through REST API. 

 

To identify the time of the issue go to Logs -> Event & Alarms -> Events in FortiNAC GUI.

 

It is possible to see the following events:

 

10/02/2024 17:38   Device Destroyed   No Associated Element Device S108EPXXXX of protocol Snmp destroyed.

 

Or:

 

10/02/2024 17:38 SNMP Failure S108EPXXXX SNMP failed for device  S108EPXXXXwith message 10.10.250.50 SNMP V1/V2c get failed
10/02/2024 17:38 Device Created S108EPXXXX Device  S108EPXXXX with IP 10.10.250.50 of protocol Snmp created and added to FIREWALL Container.

 

In FortiNAC output. master log file following events will be logged:

 

yams INFO :: 2024-10-02 17:38:23:064 :: #99 :: SnmpServer.getElementsByName Found 1 devices with name S108EPXXXX
yams.SnmpV1 INFO :: 2024-10-02 17:38:23:075 :: #520 :: SnmpServer removing 4489 with IP 10.10.250.50 from devices
yams INFO :: 2024-10-02 17:38:23:077 :: #60 :: DeviceManager found device 4489 connected to no ports


yams INFO :: 2024-10-02 17:38:30:541 :: #99 :: PollThread Fortigate.removeStalePorts : removing port 4437 fortiGateLab:root:S108EPXXXX:port1
yams INFO :: 2024-10-02 17:38:30:541 :: #99 :: PollThread Fortigate.removeInterface() for element fortiGateLab and port 4437 fortiGateLab:root:S108EPXXXX:port1
yams INFO :: 2024-10-02 17:38:30:544 :: #99 :: PollThread Fortigate.removeStalePorts : removing port 4438 fortiGateLab:root:S108EPXXXX:port2
.
.

 

It is possible to verify through FortiGate CLI when the FortiSwitch last joined the FortiLink.

 

fortiGateLab # execute switch-controller get-conn-status S108EPXXXX

Get managed-switch S108EPXXXX connection status:
Admin Status: Authorized
Connection: Connected
Image Version: S108EP-v7.2.7-build479,240214 (GA)
Remote Address: 10.10.250.50
Join Time: Wed Oct 2 17:38:57 2024  <------- If the join time frequently changes it means there is a FortiLink instability.

 

interface status duplex speed fortilink stacking poe status
port1 down N/A 0 no no Searching
port2 down N/A 0 no no Disabled
port3 up full 1000Mbps no no Delivering Power
port4 up full 1000Mbps no no Delivering Power
port5 down N/A 0 no no Not Supported
port6 down N/A 0 no no Not Supported
port7 up full 1000Mbps yes no Not Supported
port8 down N/A 0 no no Not Supported
port9 down N/A 0 no no Not Supported
port10 down N/A 0 no no Not Supported


Aggregate Interfaces:

Interface Status Duplex Speed Type
GVM01TM24004682(*) up full 1000Mbps FL


ISL: Inter-Switch-Link trunk.
FL: Fortilink Trunk connected to FGT.
(*): System auto generated trunk

fortiGateLab #

 

Once the FortiSwitch is removed from FortiNAC, there will be no enforcement on the hosts connected to the respective ports since FortiNAC will not be able to find these ports in its modeling. No control actions will be applied.

 

To prevent such issues from happening the following must be checked.

 

  1. Resolve FortiLink Instability: Troubleshooting Tip: Possible reason for FortiLink instability
  2. Make sure DHCP reservations or Static IP addresses are configured for the FortiSwitches in FortiLink: When a device is removed from Topology/Network Inventory, the associated SSH entry is not removed from the /bsc/.ssh/known_hosts file. This causes SSH key validation errors when a new Device is added with same IP address of a previously modeled device.
  • When this happens it is possible to clear the entry in /bsc/.ssh/known_hosts through the credentials tab of the modeled device by selecting 'Clear known hosts'.

 

Figure 1. Clearing all known host keys for a specific modeled device.Figure 1. Clearing all known host keys for a specific modeled device.

 

  • The other reason to reserve FortiSwitch IPs in FortiGate is to avoid duplicate IP addresses in FortiNAC for FortiSwitches. Changing the FortiSwitch IP address can cause duplicated IP from FortiNAC's perspective and in this case, FortiNAC deletes one of the FortiSwitch that has duplicated IP address in FortiNAC.
  1. FortiSwitch IP addresses must be routable: Do not use the default Subnet assigned by FortiLink (169.254.1.1/24).

 

Related articles:

FortiSwitch FortiLink Integration Guide

Troubleshooting Tip: Host visibility issues in FortiLink Layer 3 integration with FortiNAC.
201
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.