Issue:

It is noticed when FortiSwitch in FortiLink mode is upgraded or possibly also noticed after reboot.

Behavior during the issue:

• FortiSwitch shows offline on the FortiGate.
• The client connected to the offline Fortiswitch can forward traffic.
• Able to SSH to the FortiSwitch via FortiGate.

Reason: 

The FortiSwitch time is not in sync with the current time. NTP is not reachable.

Observation:

• Connect to FortiSwitch that is seen offline and run the following command:

show system ntp

config system ntp
config ntpserver
    edit 1
        set server "208.91.112.61"
    next
        edit 2
            set server "208.91.112.63"
        next
    end
        set ntpsync enable
    end

• As noticed in the above output, multiple NTP servers were added. However, none of these are reachable.
• If capture is collected on the FortiGate, the one-way traffic will be noticed for port 123 (NTP port no). To validate run the following command:

diag sniffer packet any "port 123" 

• The debug will show the traffic is denied from FortiGate. To verify use the following command:

diagnose debug flow filter addr <ntp-server-Ip-address>
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable

Solution:

1. Either create a policy to have the NTP server reachable from FortiGate.

config firewall policy
    edit 1
        set name "all"
        set srcintf "MCLAG"   <-- FortiLink interface name.
        set dstintf "port1"   <-- FortiGate port toward the internet.
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "all"
        set nat enable
    next
end

Note: A more granular policy can be created to allow specific traffic. 

2. Set the NTP as the FortiLink interface by configuring the NTP server as 'local' or choose 'specify' and provide the IP of the FortiLink IP.

    

    

The option is available under the FortiLink interface -> Advanced -> NTP server.

The below screenshot is provided from the FortiLink interface (FortiGate).

Note: It is necessary to reboot the FortiSwitch after the NTP config changes.

From CLI this config is available under the DHCP server:

show  full system dhcp server

    edit 15
        set dns-service local
        set ntp-service local   <--
        set default-gateway 1.1.1.1
        set netmask 255.255.255.0
        set interface "fortilinktest"
            config ip-range
                edit 1
                    set start-ip 1.1.1.2
                    set end-ip 1.1.1.254
                next
            end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
end