Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
Hatibi
Staff & Editor
Staff & Editor

Created on ‎09-17-2024 07:04 AM

Article Id 341881

Troubleshooting Tip: Host visibility issues in FortiLink Layer 3 integration with FortiNAC.

Description

 

This article describes troubleshooting steps and investigation of logs that can be performed when Hosts keeps appearing/disappearing in FortiNAC Host view when there is a FortiLink Layer 3 integration.

 

Scope

 

FortiNAC, FortiNAC-F, FortiGate, FortiSwitch.

 

Solution

 

FortiLink mode over a Layer 3 network allows FortiSwitch units to operate in FortiLink mode even though they are not directly connected to FortiGate.

In the network diagram below a FortiSwitch island contains FortiSwitch A and FortiSwitch B.

FortiNAC is integrated with FortiGate and uses REST API access to learn endpoints connected to the FortiSwitches and apply control.

 

Figure 1. Network diagram for a FortiLink mode over Layer 3 network deployment.Figure 1. Network diagram for a FortiLink mode over Layer 3 network deployment.

 

 

In these scenarios, if the Trunk ports (port50) between FortiSwitch B and FortiSwitch A are not configured as ISL, then these will be treated as User/access ports by FortiGate. In that case, FortiGate will consider the endpoint to be connected to port1 of FortiSwitch B, and also connected to port50 of FortiSwitch A.

Once FortiNAC performs L2 polling to learn endpoints, FortiGate will frequently respond with the MAC location on both FortiSwitch B port1 and FortiSwitch A port50.

 

The symptoms of this conflicting information will be reflected in FortiNAC host view, where the host will keep disappearing/appearing between the two FortiSwitch ports in Inventory View. If there are additional FortiSwitches in this environment the problem will become even more visible and frequent.

The results of this misconfiguration will be FortiNAC applying unexpected port enforcement actions depending on port system group membership . Frequent VLAN changes and port status changes will be caused by FortiNAC attempting control actions due to the MAC location changes reported by FortiGate API.

 

To investigate the issue for a given MAC address in FortiNAC enable the following debugs in CLI:

 

diagnose debug plugin enable BridgeManager
execute enter-shell
device -ip X.X.X:X -setAttr -name DEBUG -value "ForwardingInterface TelnetServer" <- Replace X.X.X.X with the FortiGate IP address.
exit

diagnose tail -F output.master | grep -i "00:0C:29:XX:XX:XX"  <- Replace 00:0C:29:XX:XX:XX with the actual MAC of the connected endpoint.

 

The FortiNAC cli output will show the FortiSwitch port where host is learned. This is the result returned by FortiGate API in JSON format.

Log snippet from output.master:

 

yams INFO :: 2024-08-30 15:08:58:039 :: 74 :: PollThread-trap2 com.bsc.forwarding.Fortigate endpoint json = {"port_name":"port50","vlan_id":1,"last_seen":4,"port_id":24,"switch_id":"S124XXXXX_FSWA","vdom":"root","mac":"00:0C:29:XX:XX:XX"}

 

yams INFO :: 2024-08-30 15:08:58:396 :: 74 :: PollThread-trap2 com.bsc.forwarding.Fortigate endpoint json = {"port_name":"port1","vlan_id":1,"last_seen":64,"port_id":15,"switch_id":"S124XXXXX_FSWB","vdom":"root","mac":"00:0C:29:XX:XX:XX"}


"port_id":50,"switch_id":"S124XXXXX_FSWA","vdom":"root","mac":"00:0C:29:XX:XX:XX"} <- Wrong port and switch.
"port_id":1,"switch_id":"S124XXXXX_FSWB","vdom":"root","mac":"00:0C:29:XX:XX:XX"} <- Correct port and switch.

 

It is noted that the same MAC is learned from different Switches and ports. Port50 is the uplink port in FortiSwitch A, but since there is no ISL trunk configured, FortiGate treats it as an access port and reports the location to FortiNAC.

 

The issue can also be observed in FortiGate GUI at WiFi & Switch Controller -> FortiSwitch Clients

 

Figure 2. FortiSwitch Clients view in FortiGate shows Uplink Ports and incorrect Switch as direct connection location of Host.Figure 2. FortiSwitch Clients view in FortiGate shows Uplink Ports and incorrect Switch as direct connection location of Host.

The ISL trunk between FortiSwitches can be configured automatically or manually.

In cases when manual configuration is performed the following needs to be enabled in FortiSwitch CLI trunk ports.

 

Example configuration in FortiSwitch B CLI:

 

config switch trunk

edit Uplink_towards_FSWA

set static-isl enable <- Manual configuration of ISL trunk.

set static-isl-auto-vlan disable <- Set to 'Disable' to prevent FortiGate to change native VLAN on uplink interfaces.

set members port50

next

end

 

In the FortiSwitch CLI, the following commands can help in investigating the MAC location and Uplink/trunk connections.

 

  1. Check if Host MAC address is learned in correct FortiSwitch port in FortiSwitch B cli:

 

diagnose switch mac-address list | grep -i 00:0C:29:XX:XX:XX
MAC: 00:0C:29:XX:XX:XX VLAN: 1 Port: port1(port-id 1)
 
  1. Check state of uplink port50.
 
diagnose switch physical-ports summary
 
  Portname    Status  Tpid  Vlan  Duplex  Speed  Flags         Discard
  __________  ______  ____  ____  ______  _____  ____________  _________
 
  port1       up    8100  1     half    -      QS,  ,        none     
  port2       up      8100  1     full    1G     QS,  ,        none     
.
.   
  port50      up      8100  1     full    1G     QS,  ,        none     <- Port50 status is up.
  port51      down    8100  1     full    10G    QS,TL,        none     
  port52      down    8100  1     full    10G    QS,TL,        none     
  internal    up      8100  1     full    1G     QS,  ,        none     
 
  Flags: QS(802.1Q) QE(802.1Q-in-Q,external) QI(802.1Q-in-Q,internal)
  TS(static trunk) TF(forti trunk) TL(lacp trunk); MD(mirror dst)
  MI(mirror ingress) ME(mirror egress) MB(mirror ingress and egress)
  CF (Combo Fiber), CC (Combo Copper) LL(LoopBack Local) LR(LoopBack Remote)
 
  1. Check neighbor for port50 which should be FortiSwitch A
get switch lldp neighbors-summary
 
Capability codes:
R:Router, B:Bridge, T:Telephone, C:DOCSIS Cable Device
W:WLAN Access Point, P:Repeater, S:Station, O:Other
MED type codes:
Generic:Generic Endpoint (Class 1), Media:Media Endpoint (Class 2)
Comms:Communications Endpoint (Class 3), Network:Network Connectivity Device
 
  Portname    Status   Device-name                 TTL   Capability  MED-type  Port-ID
  __________  _______  __________________________  ____  __________  ________  _______
  port1       up     -                           -     -           -         -
  port2       Up       -                           -     -           -         -
.
.
  port48      Down     -                           -     -           -         -
  port49      Down     -                           -     -           -         -
port50      Up       FortiSwitch A                    120   BR          -         port50 <- port50 towards FortiSwitch A.
  port51      Down     -                           -     -           -         -
  port52      Down     -                           -     -           -         -
 
  1. Check ISL trunk state.
diagnose switch trunk summary
 
Trunk Name                Mode            PSC          MAC           Status       Up Time
________________   _______________  ___________  _________________  ___________  ______________
 
Uplink_towards_FSWA  lacp-active(isl)           N/A          XX:XX:XX.XX:XX    up(1/1)    N/A      

 

Related documentation:

668
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.