Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎09-30-2024 12:57 AM

Article Id 345120

Troubleshooting Tip: FortiSwitch showing offline after the upgrade

Description This article describes the reason the FortiSwitch shows offline due to an NTP issue noticed after the upgrade.
Scope FortiSwitch with v7.6.0 or v7.4.0 and above.
Solution

Issue:

It is noticed when FortiSwitch in FortiLink mode is upgraded or possibly also noticed after reboot.

 

Behavior during the issue:

  • FortiSwitch shows offline on the FortiGate.
  • The client connected to the offline Fortiswitch can forward traffic.
  • Able to SSH to the FortiSwitch via FortiGate.

 

Reason

The FortiSwitch time is not in sync with the current time. NTP is not reachable.

 

Observation:

  • Connect to FortiSwitch that is seen offline and run the following command:

 

show system ntp

 

config system ntp
config ntpserver
    edit 1
        set server "208.91.112.61"
    next
        edit 2
            set server "208.91.112.63"
        next
    end
        set ntpsync enable
    end

 

  • As noticed in the above output, multiple NTP servers were added. However, none of these are reachable.
  • If capture is collected on the FortiGate, the one-way traffic will be noticed for port 123 (NTP port no). To validate run the following command:

 

diag sniffer packet any "port 123" 

 

  • The debug will show the traffic is denied from FortiGate. To verify use the following command:

 

diagnose debug flow filter addr <ntp-server-Ip-address>
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable

 

Solution:

 

  1. Either create a policy to have the NTP server reachable from FortiGate.

 

config firewall policy
    edit 1
        set name "all"
        set srcintf "MCLAG"   <-- FortiLink interface name.
        set dstintf "port1"   <-- FortiGate port toward the internet.
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "all"
        set nat enable
    next
end

 

Note: A more granular policy can be created to allow specific traffic. 

 

  1. Set the NTP as the FortiLink interface by configuring the NTP server as 'local' or choose 'specify' and provide the IP of the FortiLink IP.

     

     

The option is available under the FortiLink interface -> Advanced -> NTP server.

 

The below screenshot is provided from the FortiLink interface (FortiGate).

 

Note: It is necessary to reboot the FortiSwitch after the NTP config changes.

 

NTP.jpg

 

From CLI this config is available under the DHCP server:

 

show  full system dhcp server

    edit 15
        set dns-service local
        set ntp-service local   <--
        set default-gateway 1.1.1.1
        set netmask 255.255.255.0
        set interface "fortilinktest"
            config ip-range
                edit 1
                    set start-ip 1.1.1.2
                    set end-ip 1.1.1.254
                next
            end
        set vci-match enable
        set vci-string "FortiSwitch" "FortiExtender"
    next
end
1079
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.