Reason for the issue: This issue occurs only when FortiSwitch ports are shared with a tenant VDOM. Refer to the

Fortinet documentation on Multitenancy and VDOMs.

Trigger Condition: 

After upgrading FortiGate, a configuration sync error is e observed for FortiSwitches that have ports shared with another Tenant VDOM.

Impact:

Configuration changes from the tenant VDOM to the FortiSwitch may not be possible.

The following is the output from FortiGate with an example showing a config sync error after upgrading:

FGT (root) # execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : FORTILINK
SWITCH-ID      VERSION        STATUS     FLAG    ADDRESS      JOIN-TIME               NAME
SWITCH-NAME-1 v7.4.5 (880) Authorized/Up 2E   10.255.1.2 Tue Apr 1 17:16:19 2025 S124XXXXXXXX123

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 96)

FGT (root) # execute switch-controller get-sync-status all
Managed-devices in current vdom root:

FortiLink interface : FORTILINK
SWITCH-ID (SERIAL)             STATUS         CONFIG     MAC-SYNC              HTTP-UPGRADE
SWITCH-NAME-1 (S124XXXXXXXX123) Up            Error            -                     -

Root Cause:

The issue arises due to a configuration format difference between FortiGate v7.2 and v7.4.

In FortiGate v7.2, the switch configuration in both root and tenant VDOMs references the FortiSwitch serial number.

In FortiGate v7.4, the root VDOM references the FortiSwitch name, while the tenant VDOM may still refer to the serial number.

This inconsistency leads to a configuration mismatch and sync errors. This troubleshooting tip and the configuration sync error also apply to Virtual FortiSwitch (vFortiSwitch) instances managed via FortiLink. The virtual FortiSwitch appears alongside physical FortiSwitches in the FortiGate’s Switch Controller.

Configuration Comparison: v7.2 vs v7.4:

FortiGate v7.2 Configuration:

Root VDOM:

config switch-controller managed-switch
    edit "S124XXXXXXXX123"
        set name "SWITCH-NAME-1"
        set fsw-wan1-peer "FORTILINK"
        set fsw-wan1-admin enable
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set dynamic-capability 0x00000000000000001102267594d3f9d7
            config ports
                edit "port1"
                    set speed-mask 207
                    set poe-capable 1
                    set virtual-port 1
                    set export-to "TEST" <---------------- port1 exported to TEST VDOM.
                next

TEST VDOM:

config switch-controller managed-switch
    edit "S124XXXXXXXX123"
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set type virtual
        set owner-vdom "root"
            config ports
                edit "port1"
                    set speed-mask 207
                    set poe-capable 1
                    set virtual-port 1
                    set vlan "TEST-vlan"
                    set lldp-profile "default"
                next

FortiGate v7.4 Configuration:

Root VDOM:

config switch-controller managed-switch
    edit "SWITCH-NAME-1"
        set sn "S124XXXXXXXX123"
        set fsw-wan1-peer "FORTILINK"
        set fsw-wan1-admin enable
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set dynamic-capability 0x00000000000000001102267594d3f9d7
            config ports
                edit "port1"
                    set speed-mask 207
                    set poe-capable 1
                    set virtual-port 1
                    set export-to "TEST" <----- port1 exported to TEST VDOM.
                next

TEST VDOM (before fix):

config switch-controller managed-switch
    edit "S124XXXXXXXX123"
        set sn "S124XXXXXXXX123"
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set type virtual
        set owner-vdom "root"
            config ports
                edit "port1"
                    set speed-mask 207
                    set poe-capable 1
                    set virtual-port 1
                    set vlan "TEST-vlan"
                    set lldp-profile "default"
                next

Workaround:

In the Tenant TEST VDOM, update the configuration (FortiGate config file) to use the FortiSwitch name (SWITCH-NAME-1) instead of the serial number:

TEST VDOM (after fix):

config switch-controller managed-switch
    edit "SWITCH-NAME-1"
        set sn "S124XXXXXXXX123"
        set poe-detection-type 1
        set version 1
        set max-allowed-trunk-members 8
        set type virtual
        set owner-vdom "root"
            config ports
                edit "port1"
                    set speed-mask 207
                    set poe-capable 1
                    set virtual-port 1
                    set vlan "TEST-vlan"
                    set lldp-profile "default"
                next

After applying the changes in the FortiGate config file, restore the FortiGate configuration. For reference, see FortiGate Configuration Backups

Verification:

Re-run the sync verification commands:

FGT (root) # execute switch-controller get-conn-status
Managed-devices in current vdom root:

FortiLink interface : FORTILINK
SWITCH-ID       VERSION      STATUS      FLAG     ADDRESS             JOIN-TIME           NAME
SWITCH-NAME-1 v7.4.5 (880) Authorized/Up  -     10.255.1.2 Tue Apr 1 17:16:19 2025  S124XXXXXXXX123

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 96)

FGT (root) # execute switch-controller get-sync-status all
Managed-devices in current vdom root:

FortiLink interface : FORTILINK
SWITCH-ID (SERIAL)                    STATUS CONFIG  MAC-SYNC HTTP-UPGRADE
SWITCH-NAME-1 (S124XXXXXXXX123)         Up      -       -            -