FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Article Id 329592
Description This article describes how to resolve the 'API error 60' message, which prevents pushing configuration from FortiGate to a managed FortiSwitch.
Scope

FortiGate version 7.x and managed FortiSwitch version 7.x.

Solution

After importing a local certificate on the FortiSwitch, the following sync error may appear on the FortiGate:

execute switch-controller get-sync-status all
Managed-devices in current vdom root:

FortiLink interface : fortilink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
Switch (S148FFTxxxxx) Up Error Error -

[1]
 command: https://192.168.x.x:443/api/v2/login
 payload:
 result : REST API login failed with error 60


Due to the error, the config does not get pushed from FortiGate to the managed FortiSwitch.

 

Follow these steps to rectify the error:

 

  1. Upload the CA on FortiGate:

 

FortiGate-60F # execute vpn certificate ca import tftp /temp/zzzz/zzzzrootCA.crt <tftp ip address>
y
Done.

show vpn certificate ca CA_Cert_1
config vpn certificate ca
    edit "CA_Cert_1"
        set range global
    next
end

 

 

  1. Change the tunnel mode to 'moderate' (refer to this section of the documentation).

 

show switch-controller system
config switch-controller system
    set tunnel-mode moderate
end

 

 

  1. On FortiSwitch, import the local cert:

 

execute system certificate local import tftp <file-name> <tftp_ip>

 

 

For example:

 

execute system certificate local import tftp temp/xxxx/xxxx074.p12 10.105.129.1 p12 fortinet123

 

Show the certificate:

show system certificate local
config system certificate local

edit "xxxx074"

set password ENC wuPp7AGYkncE2QblJ6pjdyed1MfVG+dVhJ6sy9aDP+B50ykGwPsa5R7DcKrd6b2SfhidSZg1vN9NLlssOHthDyCWAfzpx6MNRo9j8ojJY0FsU1kTk/r/71KGva5RldCZODJBII5FtN5pvJhj8znzythf8XX8O/UwWzbGEDJ+H4uOUnfE

next

end

config system web

set https-server-cert "xxxx074"

end