Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
mmontes
Staff
Staff

Created on ‎11-07-2017 01:03 PM

Article Id 194331

Technical Tip: No authorisation between FortiSwitch and FortiGate because Vlan 1 is used

Purpose
This article explains why when connecting the FortiSwitch, there are no authorization to the FortiGate´s interface, enabled with FortiLink.

Expectations, Requirements
Access to the FortiGate and verify that the 'Dedicated to FortiSwitch' feature is enabled into the interfaces that connects to the FortiSwitches.
Troubleshooting
Run the following debug via CLI to check the FortiLink negotiation status:
# diag debug reset
# diag debug disable
# diag debug application fortilinkd -1
# diag debug enable
Some errors can appear like following ones showing that the FortiSwitch is not being authorized:
164s:474ms:56us flp_event_handler[605]:node: FortiLink received event 102 state FL_STATE_WAIT_CONN switchname S124DNXXXXXXXXXX flags 0x401      <-- In the FortiLink, will appear the real name the interface enabled with the FortiLink Feature
164s:474ms:83us flps_fsm_transition[138]:node: FortiLink(peer:S124DNXXXXXXXXXX owner:) | state: 0 | event: 102
164s:474ms:111us fl_switch_addlink[1016]:Discovery pkt being processed for switch S124DNXXXXXXXXXX tlv(1)
164s:474ms:214us fl_adjust_logical_portname[776]:port FortiLink does not have parent interface
164s:475ms:312us fl_is_switch_propperties_changed[321]:Change detected for switch S124DNXXXXXXXXXX old(1) new(1)
164s:475ms:351us fl_is_switch_propperties_changed[378]:fl_is_switch_propperties_changed: faceplate (len:316) <model type="s124dn">       <portgroup id="portgroup1" rows="2" label="">               <port id="port" switch_name="fsw" num="24"/>       </portgroup>       <portgroup id="portgroup2" rows="1" label="SFP">               <port id="port" start="25" switch_name="fsw" type="fiber"  num="2"/>       </portgroup></model>
164s:481ms:139us fl_add_switch_ports[649]:Add switch portcount 26 port(port)
164s:493ms:237us fl_switch_authorize[885]:Commit Failed for switch S124DNXXXXXXXXXX
164s:493ms:292us fl_switch_authorize[888]:auto-authorize for switch S124DNXXXXXXXXXX
Once previous errors are identified, following debug will help to identify that FortiLink interface is using vlan 1:
# diag debug reset
# diag debug disable
# diag debug cli 8
# diag debug enable
Outputs will appear as follow:
0: edit "vsw.FortiLink"                 <-- In the FortiLink, will appear the real name of the of the interface enabled with the FortiLink Feature0: set vdom "root"
0: set interface "FortiLink"
0: set vlanid 1
-651: end
0: config switch-controller managed-switch
0: edit "S124DNXXXXXXXXX"
0: set fsw-wan1-admin enable
0: config system interface
In the output of the previous debug, the vlan 1 is used for FortiLink negotiation.
Therefore, check that into the FortiLink main physical interface, there are no interface vlan configured using the vlan 1.
If there is,  change the vlan 1 of the vlan interface to another one and make sure to disable the debug as follow once troubleshooting is finished:
# diag debug reset
# diag debug disable


15248
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.