FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Article Id 332378
Description

This article describes how to identify STP flaps in the network.

Scope

FortiGate version 7.x and above.

Managed FortiSwitches of version 7.x and above.

Solution

Check the logs below to identify STP flaps in the network. STP flaps can impact users heavily, resulting in dropped pings and higher latency for clients.

 

  1. Validate the inter-switch physical links and make sure the ports are not going down-up frequently. Check the event logs on the FortiGate GUI -> Log & Report -> System Events -> FortiSwitch Events.
  2. Know the network topology well. Once understood, identify the participating ports for STP. Check the topology view in the FortiGate GUI -> Wifi & Switch Controller -> Managed FortiSwitches.
  3. Core FortiSwitches i.e. directly connected to FortiGate should act as a root bridge and all other FortiSwitches should see the core FortiSwitch as a root bridge. Check the command 'diag stp instance list' on the Core FortiSwitches. Start the troubleshooting from the core FortiSwitch.

 

For example, in the following output, the core Fortiswitch is acting as a root bridge but TCN events received and triggered are not stable. It shows the FortiSwitch received TCN 14 minutes previously, which signifies that some other Switch is broadcasting itself as the root bridge.

 

diagnose stp instance list

 

MST Instance Information, primary-Channel:

 

Instance ID 0 (CST)

  Config         Priority 20480

                 Bridge MAC 84398fxxxxxx, MD5 Digest 9999b43d77cxxxxxxxxxx1c4a487

 

  Root           MAC 84398fxxxxxx, Priority 20480, Path Cost 0, Remaining Hops 20

                 (This bridge is the root)

 

  Regional Root  MAC 84398fxxxxxx, Priority 20480, Path Cost 0

                 (This bridge is the regional root)

 

  Active Times   Forward Time 15, Max Age 20, Remaining Hops 20

 

  TCN Events     Triggered 2453 (0d 0h 14m 9s ago), Received 1717 (0d 0h 14m 7s ago)

 

 

  1. Check logs on the core FortiSwitch(es) and access FortiSwitch(es). If there is an STP flap, an ISL FortiLink trunk interface should be seen changing the STP role between root and designated. Refer to the following example from an access FortiSwitch:

The following output will list the trunks:

 

show switch trunk


The following output lists only STP logs:

 

execute log filter view-lines 1000
execute log filter field subtype spanning_tree
execute log display

1: 20zz-0y-0X 14:11:15 log_id=0105008255 type=event subtype=spanning_tree pri=notice vd=root user="stp_daemon" action="role-change" unit="primary" switch.physical-port="_FlInK1_MLAG0_" instanceid="15" event="role migration" oldrole="designated" newrole="root" status="None" msg="primary port _FlInK1_MLAG0_ instance 15 changed role from designated to root"

5: 20zz-0y-0X 14:11:09 log_id=0105008255 type=event subtype=spanning_tree pri=notice vd=root user="stp_daemon" action="role-change" unit="primary" switch.physical-port="_FlInK1_MLAG0_" instanceid="15" event="role migration" oldrole="root" newrole="designated" status="None" msg="primary port _FlInK1_MLAG0_ instance 15 changed role from root to designated"

execute log filter reset

 

  1. Check the below output on Core FSW(s) to understand at what ports STP packets are received. Based on point 1, it is possible to know what ports should participate in STP. If any other ports with STP packets are seen, it is recommended to investigate why STP packets are seen on that port.

    diagnose switch pdu-counters list

    primary CPU counters:
      packet receive error :        0
      Non-zero port counters:
      port1:
        LACP packet                   :    67347
        STP packet                    :   575010
        LLDP packet                   :   728848
      port2:
        LACP packet                   :    67392
        STP packet                    :     4066
        LLDP packet                   :   738388

    Clear pdu-counters and then monitor as well.

    diagnose switch pdu-counters clear

     

     

     

  2. Once the port has been identified where STP packets should not be seen, check the LLDP neighbor and find out what is connected to that port. Depending on the network, some of the following further steps can be taken:

    • Disconnect the port.
    • Disable STP.
    • Make sure both sides run the correct STP settings.
    • Make sure the same STP protocol (FortiSwitch runs MSTP by default) is used on both sides or that both sides are compatible. For an example, see the FortiLink guide.

      LLDP command: The following example shows a third-party switch connected to port46 that could be causing the issue.

     

    get switch lldp neighbors-summary

    port46      Up       Nexus      120   BR          -         Ethernet1/40

     

     

  3. If the issue persists, raise a TAC ticket for further debugging. Attach the outputs of the following to the ticket:

     

    • Topology view in FortiGate GUI -> Wifi & Switch Controller -> Managed FortiSwitches.
    • FortiGate config.
    • Output from the FortiGate CLI command 'exec switch-controller get-conn-status'.
    • Outputs from the following commands on the Core FortiSwitch(es) 'diag debug report' and 'show full-config'.