Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
mradhika22
Staff
Staff

Created on ‎03-27-2025 01:47 AM

Article Id 384906

Technical Tip: FortiGate not responding to the FortiSwitch CAPWAP discovery requests

Description This article describes a scenario where FortiGate is not responding to the CAPWAP discovery requests from FortiSwitch.
Scope FortiSwitch, FortiGate.
Solution

Description:

CAPWAP discovery requests reach the FortiGate Fortilink interface, however, the FortiGate is not responding to the CAPWAP request messages from managed FortiSwitches due to the firewall having local-in-policy configured.

 

  • Verify that the FortiSwitch is sending the CAPWAP discovery requests to the FortiGate.
  • Take a simultaneous packet capture from FortiGate to identify if the FortiGate is responding to the CAPWAP discovery or ICMP request packets :

FortiGate sniffer from CLI: Performing a sniffer trace (CLI and packet capture).

 

Or, FortiGate sniffer from GUI: Troubleshooting Tip: Packet Capture on FortiOS GUI. 

 

  •  If the FortiGate is not responding to the CAPWAP discovery request, ensure that the following processes are running in FortiGate using the command 'diag sys top' :

 

fortilinkd
cu_acd
cw_acd
cw_acd_helper
acd

 

 

FortiGate-60E # 2025-03-26 01:52:15 id=65308 trace_id=12 func=print_pkt_detail line=5886 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:5246->224.0.1.140:5246)
tun_id=0.0.0.0 from fortilink. "

<snip>

2025-03-26 01:52:15 id=65308 trace_id=12 func=iprope_policy_group_check line=4894 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check line=2395 msg="gnum-100001, check-5f029ff4"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check_one_policy line=2133 msg="checked gnum-100001 policy-1, ret-matched, act-accept"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_user_identity_check line=1894 msg="ret-matched"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check_one_policy line=2366 msg="policy-1 is matched, act-drop"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check line=2414 msg="gnum-100001 check result: ret-matched, act-drop, flag-08010000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=iprope_policy_group_check line=4894 msg="after check: ret-matched, act-drop, flag-08010000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=fw_local_in_handler line=611 msg="iprope_in_check() check failed on policy 1, drop"

A sample configuration of the firewall local-in-policy that could block the CAPWAP traffic is as follows :

 

config firewall local-in-policy
    edit 1
        set uuid b0036cc6-0a1d-51f0-d0b3-42036f43bacf
        set intf "any"
        set srcaddr "fortilink/any"
        set srcaddr-negate disable
        set dstaddr "all"
        set internet-service-src disable
        set dstaddr-negate disable
        set action deny
        set service "ALL"
        set service-negate disable
        set schedule "always"
        set status enable
        set comments ''
    next
end

 

Resolution:

  • Disable the local-in-policy if not required:

 

config firewall local-in-policy
    edit 1
        set intf "any"
        set srcaddr "fortilink"
        set srcaddr-negate disable
        set dstaddr "all"
        set internet-service-src disable
        set dstaddr-negate disable
        set action deny
        set service "ALL"
        set service-negate disable
        set schedule "always"
        set status disable
    next
end

 

  • As the local-in policy controls the inbound traffic going to a FortiGate interface, specify the interface or the source address such that the FortiLink interface will be excluded.

 

For more details on local-in-policy, visit Local-in policy and Troubleshooting Tip: Debug flow messages 'iprope_in_check() check failed, drop' - 'Denied by forward...

 

  • Basic checks for FortiSwitch showing offline in the FortiGate can be verified using the following community links:

Troubleshooting Tip: FortiSwitch Connection to FortiGate
Technical Tip: How to perform basic checks to bring FortiSwitch online on FortiGate
Troubleshooting Tip: Fix FortiSwitch showing with the 'Offline' status 

Technical Tip: Non-FIPS FortiSwitches are offline when managed by FortiGate configured in FIPS-CC mo...
1094
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.