FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
Adolfo_Z_H
Staff
Staff
Article Id 228038

Description

 

This article explains how to solve the most common issues that occur when trying to add a brand new FortiSwitch unit or when FortiSwitch devices unexpectedly go offline.

 

Scope

 

FortiOS 6.4.X and up. Legacy versions may produce slightly different outputs.

 

Solution

 

Before attempting to adopt a new unit, reset it to factory defaults by pressing the reset button on the front of the unit. Afterwards, update it to the recommended version. This will avoid a number of issues. See the documentation for more information:

 

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...

 

For example: if using FOS 7.0.6, run release 7.2.1 on the FortiSwitch. If the versions currently in use are not listed yet, simply use the latest GA versions available for the products.  

 

Non-discovery-enabled ports:

One common mistake is using non-discovery-enabled ports. Follow configuration best practices to solve related issues. Read the LAN edge deployment guide for more information:

Introduction

 

Although any port can be configured to use FortiLink and automatically create topologies, the last ports of each FSW device are those that have this configuration by default. Use these ports to create the topology. See the documentation for more information:

Configuring FortiLink

 

During the first FortiSwitch port discovery attempt, the FortiSwitch device reboots by itself. Try to discover one device at a time.

 

NTP synchronization

 

If NTP is not properly configured between the FortiGate, FortiSwitch and an external NTP server, FortiSwitch devices cannot appear as online on the FortiGate GUI (and an 'unable to build management CAPWAP tunnel' error will appear).

 

Use the following command in the Fortigate CLI and analyze the outputs (all commands should be issued using a superadmin user):

 

execute switch-controller diagnose-connection

 

Review any configurations listed with FAIL results and resolve them. The following is an example analysis:

 

NTP server ... FAIL <-----

fortilink not enabled <------ NTP is not enabled on the FortiLink interface (check the interface name, as it may be different)

NTP server sync ... FAIL

synchronized: no, ntpsync: enabled, server-mode: disabled

 

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0 <---NTP is not syncing between FortiGate and an external server

 

Enable the NTP server mode on the FortiLink interface. There must be an entry for the FortiLink interface in the configuration in order to use it as a server.

 

This is a configuration example on Fortigate CLI:

 

config system ntp

    set ntpsync enable

    set server-mode enable            <- enable server mode if necessary

    set interface "uplink" "lan"     <- "fortilink” is not listed on this configuration - add the FortiLink interface

end 

 

Follow this community article to learn more about how to configure Fortigate as a NTP server:

Technical Tip: Configuring a FortiGate unit as a NTP server

 

NTP syncing issues may provide an error like the following:

 

ipv4 server(ntp2.fortiguard.com) unresolved -- unreachable(0xff) S:0 T:0

 

To solve NTP syncing issues, ensure that the FortiGate is able to connect to the configured NTP server. See the following community articles for information on similar problems:

 

Technical Tip: Troubleshoot NTP synchronization issue

Troubleshooting Tip : FortiGate with manual time setting is not responding to NTP queries even thoug...

 

All configuration components marked with FAIL must be corrected before FortiSwitches can build a capwap management tunnel and appear online on the Fortigate Managed FortiSwitches GUI menu. Sometimes this can take several minutes, but a restart of the affected FortiSwitch units will allow them to reconnect immediately.

 

If issues still persist after solving all failed configurations found by using execute switch-controller diagnose-connection, open a new support ticket to start an indepth investigation into the issue.