Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
AmeyMaha
Staff
Staff

Created on ‎12-12-2025 09:53 AM

Article Id 422373

Troubleshooting Tip: FortiSwitches in mclag-icl setup lose connection after FortiGate upgrade/HA failover

Description This article describes the issue of a FortiSwitch in mclag-icl setup losing connection after a FortiGate upgrade/HA failover and provides a step-by-step solution to resolve the problem. The issue occurs when the Spanning Tree Protocol (STP) priority mismatch between the FortiSwitch1 and FortiSwitch2 in the network causes the FortiSwitches to go offline.
Scope FortiGate, FortiSwitch.
Solution

Topology:

FortiGate -> FortiSwitch1 <- Tier1 mclag-icl -> FortiSwitch2.

 

FortiSwitch can be any model starting from 2xx and above (FortiSwitches with 2xx models and above support mclag-icl)
FortiGate can be any model in standalone or HA mode.

 

To resolve the issue of a FortiSwitch losing connection after a FortiGate upgrade, follow these steps:

 

  • Log in to the FortiGate and go to Switch Controller -> Managed Switches -> Topology and login to the FortiSwitch CLI by right-clicking on the FortiSwitch box.

 

  • Check the STP priority of the FortiSwitch1 and Fortiswitch2 in the network.

 

FortiSwitch local CLI command:

 

diagnose stp instance list

 

  • Identify the STP priority mismatch between the FortiSwitch1 and FortiSwitch2 by running the above command. In this case, the STP priority of the FortiSwitch1 is 16384, while the STP priority of FortiSwitch2 is 8192.

 

  • Change the STP priority of the FortiSwitch1 to match the STP priority of the FortiSwitch2 for STP instances 0 and 15 by enabling local-override on FortiSwitch1 and applying a custom-command configuration on FortiSwitch1. In this case, change the STP priority of the FortiSwitch1 to 8192 to match FortiSwitch2 priority of 8192. This ensures that the both the mclag-icl Fortiswitches act as the Root Bridge in all STP instances including the default Instances 0 and 15. Make this change from the FortiGate switch-controller CLI.

 

FortiGate switch-controller CLI commands: 

 

  1. Enable local-override on FortiSwitch1

 

config switch-controller managed-switch

    edit <FortiSwitch1 SerialNumber>

        config stp-setting

            set local-override enable

        end

    end

 

  1. Create a custom command:

 

config switch-controller custom-command

    edit "STP-Priority"

        set command "config switch stp instance %0a edit 0 %0a set priority 8192 %0a next %0a edit 15            %0a set priority 8192 %0a end %0a"

    next

end

 

  1. Configure custom-command on FortiSwitch 1:

 

config switch-controller managed-switch

    edit <FortiSwitch1 SerialNumber>

        config custom-command

            edit 1

                set command-name STP-Priority

            end

        end

    next

end

 

  • After changing the STP priority, run the 'diagnose stp instance list' command on both the FortiSwitches' local CLIs to ensure that both mclag-icl FortiSwitches (FortiSwitch1 and FortiSwitch2) are now showing the same Root priority and Root MAC-address.

 

  • After changing the STP priority, run the 'diagnose switch mclag peer-consistency check' command on both the FortiSwitches' local CLIs to ensure that there are no issues with the 'FLINK_ICL0' trunk which is the mclag-icl trunk.

 

  • Once the STP Root Bridge is same on both the switches and the mclag-icl peer-consistency check has passed, test the issue by performing an HA failover of the FortiGates or by performing an upgrade on the FortiGates.
92
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.