In some scenarios when Block Intra-Vlan traffic is enabled on the VLAN then clients fail to reach the gateway, but issue gets resolved once Block Intra-Vlan is disabled.

If topology consists of mclag-icl pair acting as core switches and is directly connected to FortiGate then to get Block Intra-Vlan work, mclag-icl switches should be root for the entire setup.

For example refer to the below diagram:

On Core-1:

MST Instance Information, primary-Channel:

Instance ID 0 (CST)
Config Priority 20480
Bridge MAC e023ffd55540, MD5 Digest 9999b43d77cc58bba8854f9991c4a487

Root MAC e023ffd55540, Priority 20480, Path Cost 0, Remaining Hops 20
(This bridge is the root)

Regional Root MAC e023ffd55540, Priority 20480, Path Cost 0
(This bridge is the regional root)

Instance ID 15
Config Priority 20480 , VLANs 4094
Bridge MAC e023ffd55540
Regional Root MAC e023ffd55540, Priority 20480, Path Cost 0
(This bridge is the regional root)

TCN Events Triggered 10 (32d 13h 59m 18s ago), Received 77 (8d 15h 32m 16s ago)

On Core-2:

MST Instance Information, primary-Channel:

Instance ID 0 (CST)
Config Priority 20480
Bridge MAC e023ffd55540, MD5 Digest 9999b43d77cc58bba8854f9991c4a487

Root MAC e023ffd55540, Priority 20480, Path Cost 0, Remaining Hops 20
(This bridge is the root)

Regional Root MAC e023ffd55540, Priority 20480, Path Cost 0
(This bridge is the regional root)

Instance ID 15
Config Priority 20480 , VLANs 4094
Bridge MAC e023ffd55540
Regional Root MAC e023ffd55540, Priority 20480, Path Cost 0
(This bridge is the regional root)

TCN Events Triggered 17 (8d 15h 40m 21s ago), Received 50 (8d 15h 39m 41s ago)

For both instances 0 and 15, core switches should recognize themselves as root. If there is any inconsistency in the above status, clients might face issues when Block Intra-Vlan traffic is enabled on the VLAN.

Refer to the below KB article to make the MCLAG-ICL FortiSwitches as root Bridge: Troubleshooting Tip: MCLAG-ICL interface in STP discarding state