Description
This article explains how to solve the most common issues that occur when trying to add a brand new FortiSwitch unit or when FortiSwitch devices unexpectedly go offline.
Scope
FortiOS 6.4.X and up. Legacy versions may produce slightly different outputs.
Solution
Before attempting to adopt a new unit, reset it to factory defaults by pressing the reset button on the front of the unit. Afterwards, update it to the recommended version. This will avoid a number of issues. See the documentation for more information:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...
For example: if using FOS 7.0.6, run release 7.2.1 on the FortiSwitch. If the versions currently in use are not listed yet, simply use the latest GA versions available for the products.
Non-discovery-enabled ports
One common mistake is using non-discovery-enabled ports. Follow configuration best practices to solve related issues. Read the LAN edge deployment guide for more information:
https://docs.fortinet.com/document/fortiswitch/7.0.0/lan-edge-deployment-guide/397092/introduction
Although any port can be configured to use FortiLink and automatically create topologies, the last ports of each FSW device are those that have this configuration by default. Use these ports to create the topology. See the documentation for more information:
https://docs.fortinet.com/document/fortiswitch/6.4.3/devices-managed-by-fortios/173260/configuring-f...
During the first FortiSwitch port discovery attempt, the FortiSwitch device reboots by itself. Try to discover one device at a time.
NTP synchronization
If NTP is not properly configured between the FortiGate, FortiWwitch and an external NTP server, FortiWwitch devices cannot appear as online on the FortiGate GUI (and an 'unable to build management CAPWAP tunnel' error will appear).
Use the following command in the Fortigate CLI and analyze the outputs (all commands should be issued using a superadmin user):
# execute switch-controller diagnose-connecti
Review any configurations listed with FAIL results and resolve them. The following is an example analysis:
NTP server ... FAIL <-----
fortilink not enabled <------ NTP is not enabled on the FortiLink interface (check the interface name, as it may be different)
NTP server sync ... FAIL
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0 <---NTP is not syncing beween FortiGate and an external server
Enable the NTP server mode on the FortiLink interface. There must be an entry for the FortiLink interface in the configuration in order to use it as a server.
This is a configuration example on Fortigate CLI:
config system ntp
set ntpsync enable
set server-mode enable <- enable server mode if necessary
set interface "uplink" "lan" <- "fortilink” is not listed on this configuration - add the FortiLink interface
end
Follow this community article to learn more about how to configure Fortigate as a NTP server:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-FortiGate-unit-as-a-NTP-serv...
NTP syncing issues may provide an error like the following:
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0
To solve NTP syncing issues, ensure that the FortiGate is able to connect to the configured NTP server. See the following community articles for information on similar problems:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshoot-NTP-synchronization-issue/ta-...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-with-manual-time-setting-i...
All configuration components marked with FAIL must be corrected before FortiSwitches can build a capwap management tunnel and appear as online on the Fortigate Managed FortiSwitches GUI menu. Sometimes this can take several minutes, but a restart of the affected FortiSwitch units will allow them to reconnect immediately.
If issues still persist after solving all failed configurations found by using execute switch-controller diagnose-connection, open a new support ticket to start an indepth investigation into the issue.
