Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
mnallamothu
Staff
Staff

Created on ‎06-20-2024 10:23 PM

Article Id 321633

Technical Tip: FortiGate/FortiSwitch sync issues with certificate map on v7.4.4

Description This article describes that after mapping a certificate on the FortiSwitch , the below sync error appears on the FortiGate.
Scope Syncup error between FortiGate and FortiSwitch on v7.4.X.
Solution

Issue State:

 

4season-FW # execute switch-controller get-sync-status all

Managed-devices in current vdom root:

 

FortiLink interface : fortilink

SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE

4Seasons-Switch (S148FFTFxxxxxxxx) Up Error Error -

 

[1]

 command: https://192.168.0.2:443/api/v2/login

 payload:

 result : REST API login failed with error 60

 

Solution:

Add CA to FortiGate. Not to the local server and on FortiSwitch as below:

 

FortiGate CLI:

 

config switch-controller system

    set tunnel-mode moderate

end

 

Note:

As per the design tunnel mode is set from strict to moderate.

 

FortiGate-60F # execute vpn certificate ca import tftp /temp/path/filename IP

Done.

 

FortiGate-60F # show vpn certificate ca CA_Cert_1

config vpn certificate ca

    edit "CA_Cert_1"

        set range global

    next

end

 

FortiGate-60F # show switch-controller system

config switch-controller system

    set tunnel-mode moderate

end

 

FortiGate-60F # execute switch-controller get-conn-status

Managed-devices in current vdom root:

 

FortiLink interface : fortilink

SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERIAL

S426EFTF19000012 v7.4.2 (801) Authorized/Up 2 10.255.1.2 Thu Apr 25 15:49:39 2024 S426EFTF19000012

 

         Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External

         Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 24)

 

FortiGate-60F # get sys status

Version: FortiGate-60F v7.4.2,build2571,231219 (GA.F)

 

FortiSwitch CLI:

 

=========

S426EFTFxxxxxxx # execute certificate local import tftp <filename> <ip>

 

Done.

 

S426EFTF19-----2# show system certificate local

config system certificate local

    edit "filename"

        set password ENC wuPp7AGYkncE2QblJ6pjdyed1MfVG+dVhJ6sy9aDP+B50ykGwPsa5R7DcKrd6b2SfhidSZg1vN9NLlssOHthDyCWAfzpx6MNRo9j8ojJY0FsU1kTk/r/71KGva5RldCZODJBII5FtN5pvJhj8znzythf8XX8O/UwWzbGEDJ+H4uOUnfE

    next

end

 

S426EFTF19-----2# show system certificate remote

 

S426EFTF19-----2# show system certificate ca

config system certificate ca

end

 

S426EFTF19-----2# show system web

config system web

    set https-server-cert "filename"

    set https-ssl-versions tlsv1-3

end

 

S426EFTF19-----2 # get sys status

Version: FortiSwitch-M426E-FPOE v7.4.2,build0801,231207 (GA)
890
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.