Description
This article explains how to solve the most common issues that occur when trying to add a brand new FortiSwitch or when FortiSwitches unexpectedly go offline.
Scope
FortiSwitch v6.4.X and up. Legacy versions may produce slightly different outputs.
Solution
Before attempting to adopt a new unit, reset it to factory defaults by pressing the reset button on the front of the unit. Afterwards, update it to the recommended version. This will avoid several issues. See the documentation for more information: FortiLink Compatibility
For example:
Ff using v7.0.6, run release v7.2.1 on the FortiSwitch. If the versions currently in use are not listed yet, simply use the latest GA versions available for the products.
Non-discovery-enabled ports:
One common mistake is using non-discovery-enabled ports. Follow configuration best practices to solve related issues. Read the LAN edge deployment guide for more information:
Introduction
Although any port can be configured to use FortiLink and automatically create topologies, the last ports of each FortiSwitch device are those that have this configuration by default. Use these ports to create the topology. See the documentation for more information:
Configuring FortiLink
During the first FortiSwitch port discovery attempt, the FortiSwitch device reboots by itself. Try to discover one device at a time.
NTP synchronization.
If NTP is not properly configured between the FortiGate, FortiSwitch, and an external NTP server, FortiSwitches cannot appear online on the FortiGate GUI (and an 'unable to build management CAPWAP tunnel' error will appear).
Use the following command in the FortiGate CLI and analyze the outputs (all commands should be issued using a superadmin user):
execute switch-controller diagnose-connection
Review any configurations listed with FAIL or WARNING results and resolve them. The following is an example analysis:
DHCP server ... OK
fortilink enabled
WARNING : NTP service for DHCP entry should be set to local mode .... please check config <---
NTP server ... FAIL <-----
fortilink not enabled <------ NTP is not enabled on the FortiLink interface (check the interface name, as it may be different).
NTP server sync ... FAIL
synchronized: no, ntpsync: enabled, server-mode: disabled
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0 <---NTP is not syncing between FortiGate and an external server.
Enable the NTP server mode on the FortiLink interface. There must be an entry for the FortiLink interface in the configuration in order to use it as a server.
This is a configuration example on FortiGate's CLI:
config system ntp
set ntpsync enable
set server-mode enable <- Enable server mode if necessary.
set interface "uplink" "lan" <- 'fortilink' is not listed on this configuration - add the FortiLink interface.
end
config system dhcp server
edit x <----- DHCP server name.
set ntp-service local
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
end
Follow this KB article to learn more about how to configure FortiGate as an NTP server: Technical Tip: Configuring a FortiGate unit as a NTP server
NTP syncing issues may provide an error like the following:
ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0
To solve NTP syncing issues, ensure that the FortiGate can connect to the configured NTP server. See the following community articles for information on similar problems:
All configuration components marked with FAIL or WARNING must be corrected before FortiSwitches can build a CAPWAP management tunnel and appear online on the FortiGate Managed FortiSwitches GUI menu. Sometimes this can take several minutes, but a restart or factory reset of the affected FortiSwitch units will allow them to reconnect immediately.
If issues persist after solving all failed configurations found by using execute switch-controller diagnose-connection, open a new support ticket to start an in-depth investigation into the issue.
When opening the ticket share the following commands.
From FortiSwitch CLI via SSH or console:
get sys status
diagnose ip address list
diagnose sys ntp status
diagnose hardware certificate
diagnose sys top 2
diag debug crashlog read
diag debug report
FortiGate's CLI via SSH or console:
get sys stat
get sys ha status
diagnose debug crashlog read
show system dhcp server | grep -f "<FortiLink interface name>"
show system ntp
show system interface <fortilink interface name>
execute switch-controller get-conn-status
exec switch-controller get-sync-status all
execute switch-controller diagnose-connection
execute switch-controller diagnose-connection <add offending FortiSwitch SN or name>
execute switch-controller get-physical-conn standard <FortiLink interface name>
execute switch-controller get-physical-conn dot <FortiLink interface name>
execute switch-controller get-sync-status all
diagnose switch-controller switch-info mclag peer-consistency-check
Generate a separate TXT file for every device using Putty or a similar terminal application: Technical Tip: How to create a log file of a session using PuTTY
