Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎08-26-2025 02:18 AM

Article Id 404205

Troubleshooting TIP: FortiSwitch Goes Down on FortiGate When Security Feature is Enabled

Description This article explains why FortiSwitch appears offline on the FortiGate when certain security features are enabled on the FortiSwitch, and how to resolve the issue.
Scope FortiSwitch v7.6, v7.4, v7.2 (managed by FortiGate).
Solution

FortiSwitch includes a security feature designed to validate TCP and UDP packets. Depending on the FortiSwitch model, available options may vary. Refer to the official documentation for details:  FortiSwitch Security Feature Configuration 

 

One such option is 'udp-port-eq', which, when enabled, can cause the FortiSwitch to appear offline on the FortiGate. The status can be verified on the FortiGate using the command: 'execute switch-controller get-conn-status'.

 

This security setting is intended to detect and block potential UDP-based attacks, especially those involving packets with identical source and destination UDP ports.

 

However, CAPWAP communication between FortiGate and managed FortiSwitch units uses UDP port 5246 as both source and destination. Blocking such traffic disrupts the control channel between FortiGate and FortiSwitch.

 

Example Packet Captures:

  • FortiGate FortiLink Interface IP: 1.1.1.1
  • FortiSwitch Internal IP: 1.1.1.2

 

FortiGate Sniffer:

 

FortiGate# diagnose sniffer packet any "host 1.1.1.2 && port 5246"

 

1848.221580 1.1.1.1.5246 -> 1.1.1.2.5246: udp 70
1848.221585 1.1.1.1.5246 -> 1.1.1.2.5246: udp 70

 


FortiSwitch Sniffer:

 

FortiSwitch# diagnose sniffer packet internal "port 5246"

 

3478.088735 internal -- 1.1.1.2.5246 -> 255.255.255.255.5246: udp 228
3527.088771 internal -- 1.1.1.2.5246 -> 224.0.1.140.5246: udp 228
3529.088804 internal -- 1.1.1.2.5246 -> 255.255.255.255.5246: udp 228

 

As observed in the above packet captures, when udp-port-eq is enabled, only one-way traffic from FortiSwitch to FortiGate is visible.

 

Note:

  • During this state, SSH access to the FortiSwitch remains functional.
  • Any FortiSwitch connected behind this FortiSwitch will also go down.


Resolution:
To restore connectivity, disable the udp-port-eq setting under the FortiSwitch security feature configuration:


config switch security-feature
    set udp-port-eq disable
end


Post-Change Packet Capture Verification.

FortiGate Sniffer:

 

FortiGate# diagnose sniffer packet any "host 1.1.1.2 && port 5246"

 

454.763972 1.1.1.2.5246 -> 224.0.1.140.5246: udp 228
454.763975 1.1.1.2.5246 -> 224.0.1.140.5246: udp 228
454.766069 1.1.1.1.5246 -> 1.1.1.2.5246: udp 108
454.766073 1.1.1.1.5246 -> 1.1.1.2.5246: udp 108
455.816355 1.1.1.2.5246 -> 1.1.1.1.5246: udp 217


FortiSwitch Sniffer:

 

FortiSwitch# diagnose sniffer packet internal "port 5246"

 

3796.088799 internal -- 1.1.1.2.5246 -> 224.0.1.140.5246: udp 228
3796.093321 internal -- 1.1.1.1.5246 -> 1.1.1.2.5246: udp 108
3797.143139 internal -- 1.1.1.2.5246 -> 1.1.1.1.5246: udp 217
3797.143915 internal -- 1.1.1.1.5246 -> 1.1.1.2.5246: udp 52
76
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.