Description

This article describes the steps to take to fix the problem with FortiSwitches in v7.4.0 that cannot be managed by FortiLAN Cloud.

Scope

FortiSwitch OS v7.4.0.

Solution

First, it is necessary to take into account that the FortiSwitches need a Management License. Remember that on Freemium, only 3 switches can be managed for free but it is necessary to have a valid license in order to manage more than 3. Take a look at this document to confirm: Licensing.

1. Make sure to connect the FortiSwitch to a free open network. If connected behind a firewall, make sure the traffic policies are not restricting any access.
2. Follow the steps to configure FortiLAN Cloud following these instructions: Dashboard and Deploying FortiSwitch device to a network. 
3. Once the FortiSwitch is on FortiLAN Cloud, check its status. If it is Offline on the FortiLAN Cloud platform, follow these steps on FortiSwitch CLI to check the current status:
   
   

Check that FortiLAN Cloud has been enabled on FortiSwitch:

FSW # get system flan-cloud

interval : 3
name : fortiswitch-dispatch.forticloud.com
port : 443
status : enable ​

Check the current status of the connection to the FortiLAN Cloud manager:

FSW # get system flan-cloud-mgr connection-info

Service Name: : FortiLAN Cloud

User Account-ID : 0

Dispatch Service : IP= xx.xx.xx.xx

SSL verify Code : unspecified certificate verification error

Access Service : IP= xx.xx.xx.xx, Port= 443, Connected on: 2023-09-13 21:11:20

Bootstrap Service : hostname= portal, Port= 8000

Remote Assistance : Disabled.

State-Machine : State= FLAN_MGR_STATE_READY, Event= EV_READY_SSL_SESSION_DOWN

SSL Local End-Point : Interface: vlan230, IP: 10.28.230.40

SSL Tunnel Uptime : Days: 0 Hours: 0 Mins: 0 [Connected @2023-09-13 21:11:20]

SSL Tunnel stats : restart-count= 53112, Restart Reason= Error reading tunnel EP

Stats:

========

Switch Keep Alive Tx/Reply := 0 / 0

Manager Keep Alive Rx/Error := 0 / 0

Socks Req Rx/Last Stream-ID := 0 / 0

Reset Req Rx/last Stream-ID := 0 / 0

Goaway Req Rx := 0

Unknown Req Rx := 0

Syslog FD/Tx/Err := 10 / 0 / 0

Used SOCKS stream-id:

=======================
SID SockFd Proxy-Ports State Description

___________________________________________________________________

1 0 UNKNOWN:0<-->0 AUTH BOOTSTRAP
3 10 UDP:9514<-->0 AUTH SYSLOG DATA

Notice that the SSL verification Code shows an error: unspecified certificate verification error.

4. Perform a capture on the FortiSwitch to confirm an error on the SSL certificate:

FSW # diagnose debug disable
FSW # diagnose debug reset
FSW # diagnose debug application flan-mgr -1
FSW # diagnose debug console timestamp enable
FSW # diagnose debug en​able

On the capture, it should display the following error:

2023-09-13 21:11:38 validate_file:303: [SID: -1] Unable to stat file =etc/cert/local/Fortinet_Factory2.cer

5. If this line is on the logs, open a new ticket with the TAC team to receive assistance, as this is a known issue identified on v7.4.0.
6. To stop the above debugs, use the following command:

diagnose debug disable