Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎01-08-2023 10:27 PM Edited on ‎05-28-2025 02:53 AM By Community Manager

Article Id 242279

Troubleshooting Tip: Delayed or no MAC notification syslog received from FortiSwitch in FortiLink mode

Description

This article describes troubleshooting steps to use when FortiNAC is either receiving delayed Syslog messaging (or none at all) when hosts are connecting to a FortiSwitch in Link mode.


For integration details, see the FortiSwitch Integration reference manual in the Document Library.
Scope FortiNAC.
Solution
  1. Confirm UDP 514 is not being blocked in the network.

  2. Review FortiGate and FortiSwitch configurations to verify Syslog messages are configured properly.

  3. Confirm the FortiGate's data-sync-interval value. 'MAC add' and 'MAC delete' events occur in the FortiGate when the MAC address of the host is first seen and when it is no longer seen on the managing FortiSwitch.

 

FortiGate updates the MAC cache table with this information.

The mac-cache table on the firewall refresh its entries every x seconds, where x= data-sync-interval value.

 

Enter the following commands in the FortiGate CLI to view this interval value (default value is 60):


config switch-controller system
show

 

Example:


data-sync-interval : 60

 

  1. In FortiNAC CLI, start tcpdump to verify receipt of the syslog messaging. Type:

 

tcpdump -nni eth0 host <IP of FGT listed in Topology> and port 514 -vvv | grep Switch-Controller -B3 | tee /bsc/logs/tcpdumpFGTSyslog.txt

 

  1. In the FortiGate GUI, confirm whether or not events are generating. Navigate to Log & Report -> Events.

    Note: In FortiOS, check for system events or switch events.

  2. Connect the host to the FortiSwitch.

  3. Wait the number of seconds as defined by the data-sync-interval.

  4. In FortiGate CLI, view the cache to verify if the MAC entry was added appropriately. Type:

 

diag switch-controller mac-cache show

 

  1. Confirm whether or not the FortiGate logs show 'MAC add' events for the host.

  2. In the appliance CLI, verify if tcpdump shows the syslog message received.

  3. Disconnect the host from the FortiSwitch.

  4. Wait the number of seconds as defined by the data-sync-interval.

  5. View the cache to verify if the MAC entry was removed appropriately:


diag switch-controller mac-cache show

 

  1. Confirm whether or not the FortiGate logs show 'MAC delete' events for the host.

 

  1. In the appliance CLI, verify if tcpdump shows the syslog message received.

 

  1. Ctrl-C to stop tcpdump.


Open a FortiGate support ticket and attach the following:

 

  • Description of the issue.
  • Troubleshooting steps taken.
  • FortiOS version.
  • FortiGate configuration.

 

If syslog is being sent by the FortiGate, confirm FortiNAC receives the messages.

 

Related articles:
1884
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.