Description
This article is a troubleshooting guide for issues related to managed FortiSwitch onboarding, into FortiGate. Three common issues are covered:
- Unable to authorize FortiSwitch.
- FortiSwitch is not online on FortiGate.
- Second FortiSwitch is not coming online or flapping.
Scope
FortiSwitch.
Solution
- Unable to authorize FortiSwitch.
If it is not possible to see the FortiSwitch on the FortiGate, try to manually add the serial numbers under WiFi & Switch Controller -> Managed Switch -> Create New -> FortiSwitch. However, if the FortiSwitch is visible under 'Managed Switch' in the FortiGate, follow the steps below to authorize and troubleshoot the FortiSwitch:
- Go to Wifi & Switch Controller -> Managed FortiSwitch, select Authorize on FortiSwitch, and if the FortiSwitch is still in an Unauthorized state check below.
- Go to Wifi & Switch Controller -> FortiSwitch Vlans.
- Check for vlanid 1, with the name default.<interface_name> or vsw.<interface_name>. For example, if the interface name is FortiLink, default.fortilink or vsw.fortlink).
- The vlanid for this interface has to be 1 and the name should not be changed.
- If this VLAN is missing, Go to FortiGate -> Network -> Interfaces. Check for any unused or duplicate VLANs with VlanID 1 and name default.fortilink or vsw.fortilink. These entries need to be deleted.
- If the FortiSwitch is still not able to authorize after the above step, go to Wifi & Switchcontroller --> FortiSwitch Vlans and manually create a Vlan with VlanId 1 and name this as default <interface_name>.
- Try to authorize FortiSwitch, after the above step.
One of the possible errors can be observed in the GUI when there is a duplicate VLAN with the VLAN ID number 1: 'Cannot edit managed-switch peer link admin'. Refer to Technical Tip: No authorisation between FortiSwitch and FortiGate because Vlan 1 is used for more information.
If the issue persists after the steps above, contact Technical support with the output of the following commands from FortiSwitch and FortiGate:
FortiSwitch CLI:
show full
diag debug report
FortiGate CLI:
execute switch-controller get-conn-status
execute switch-controller diagnose-connection
execute switch-controller diagnose-connection <FortiSwitch device ID or SN>
config switch-controller managed-switch
edit <switch_serial_number>
set fsw1-wan-admin enable <----- Shows an error with the reason for the authorization issue.
end
- FortiSwitch is not online on FortiGate.
If this is a brand new FortiSwitch and it is not coming online on FortiGate, follow the below steps for troubleshooting.
On FortiGate:
- NTP needs to be local for the Fortilink interface.
- DHCP must be enabled for the FortiLink interface.
On FortiSwitch:
get sys interface <----- Make sure the internal interface is getting the IP Address from FortiLink. If not, check if internal is set to be DHCP.
S224EXXXXXXXX # config system interface
S224EXXXXXXXX (interface) # edit internal
S224EXXXXXXXX internal) # show
config system interface
edit "internal"
set mode dhcp <----- Set to DHCP.
set allowaccess ping https ssh
set type physical
set snmp-index 30
set defaultgw enable
next
end
diagnose switch physical-port summary <----- Uplink port and internal must be on 4094.
S224EXXXXXXXX # diagnose switch physical-ports summary
Portname Status Tpid Vlan Duplex Speed Flags Discard
__________ ______ ____ ____ ______ _____ ____________ _________
port24 up 8100 4094 full 1G QS,TL, none
internal up 8100 4094 full 1G QS, , none
diagnose switch trunk summary <----- Trunk should be auto-configured with FortiGate.
S224E********** # diagnose switch trunk summary
Trunk Name Mode PSC MAC Status Up Time
________________ ________________________________ ___________ _________________ ___________ _________________________________
G100FTK****** lacp-active(isl) src-dst-ip E8:1C:BA:AF:82:03 up(1/1) 0 days,23 hours,48 mins,32 secs
If the above 2 steps fail, check if the below settings are configured on FortiSwitch.
- If FortiSwitch is above v7.2.0:
config switch auto-network
set mgmt-vlan 4094
set status enable
end
If the FortiSwitch is below v7.2.0:
config system global
set switch-mgmt-mode fortilink
end
- Check lldp-profile on FortiSwitch uplink port:
config switch physical-port
(physical-port) # edit port24 <-----Uplink Port.
(port24) # set lldp-profile default-auto-isl
(port24) # end
- Check the date and NTP Status on the FortiSwitch. NTP needs to be in sync with the FortiGate:
S224E********* # diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(169.254.1.1) 169.254.1.1 -- reachable(0xfd) S:0 T:14 selected
server-version=4, stratum=3
reference time is e8e68d7f.b82b8507 -- UTC Fri Oct 27 19:26:55 2023
clock offset is -0.012170 sec, root delay is 0.059586 sec
root dispersion is 0.010345 sec, peer dispersion is 431 msec
- If NTP is not in sync, check the below configs:
config sys ntp
set ntpsync enable <----- Needs to be enabled.
config ntpserver
edit 0
set server <fortilink_ip_address>
end
If the date is not accurate, the FortiLink connection to FortiGate could fail, so ensure the date is accurate on the FortiSwitch.
If FortiSwitches are still not up after the above, see below:
diag switch physical-port linerate <port_no> <----- Check if both tx,rx traffic is visible on the port.
diag switch physical-port linerate up <----- Check If the tx total and rx total is the same. If not, there might be a possible loop or broadcast in the network.
- Reboot FortiGate and FortiSwitch. This restarts the CAPWAP daemon.
If the FortiSwitch is still showing Authorized/Down in the FortiGate (for the command 'execute switch-controller get-conn-status'), there could be residual configs on the FortiSwitch which could be interfering with the FortiLink connection. If it is feasible to do a factory reset on the FortiSwitch (for example when it is a new switch being added), then do a 'execute factoryreset' and say 'y' when asked to confirm, and then verify if it connects to the FortiGate.
MCLAG setup:
If the FortiSwitch being added is replacing one of the two MCLAG switches in an existing pair, then the 'set mclag-icl enable' needs to be manually configured on the replacement switch in the ICL trunk with the peer switch name for it to be able to connect to the FortiGate over FortiLink. Refer to Step 7 under the section 'To replace a managed FortiSwitch unit of an MCLAG pair' of this document: Replacing a managed FortiSwitch unit for more details.
If the issue persists after the above steps, contact Technical support with the output of the following commands from FortiSwitch and FortiGate:
FortiSwitch CLI:
show full
diag debug report
diag debug crashlog read
FortiGate CLI:
show system dhcp server | grep -f "<FortiLink interface name>"
show system ntp
show system interface <fortilink interface name>
execute switch-controller get-conn-status
execute switch-controller diagnose-connection
execute switch-controller diagnose-connection <FortiSwitch device SN or name>
execute switch-controller get-physical-conn standard <FortiLink interface name>
execute switch-controller get-physical-conn dot <FortiLink interface name>
execute switch-controller get-sync-status all
config system interface
edit <fortilink-interface-name>
show full
end
- Second FortiSwitch is not coming online or flapping.
On FortiGate.
Make sure the topology is supported and is listed below:
Determining the network topology
If 2 FortiSwitches are directly connected to the FortiLink interface (Aggregate interface), a cable must be connected between the FortiSwitches with 'split-interface' enabled on the FortiLink.
The split interface setting will put one of the interfaces in 'down' status, acting as a backup link to the FortiGate. This will only become active when the other interface fails.
config sys interface
edit Fortilink
set members x1 x2
set fortilink-split-interface enable
end
If the issue persists after the above refer to 2., FortiSwitch is not coming online.
