Description
This article describes steps to perform when SFP/SFP+ fiber link is not coming up.
Scope
FortiSwitch and FortiGate.
Solution
Things to check if the SFP/SFP+ link is not coming up.
- Ensure that a compatible transceiver is used. Download the file 'Compatible Transceivers' from the link below, or contact support to verify if the transceiver is supported or not.
- FortiGate models have specific ports dedicated to SFP/SFP+ and might not work if misused.
Some ports are shared (for example, RJ45 and SFP combo); only one can be used at a time.
Check the model’s hardware guide :
FortiSwitch - Compatible Transceivers
- Try to set the speed setting manually on both sides.
- For example, some higher-end switch models will have speed set to 'auto-module' by default on the SFP/SFP+ ports, whereas lower-end models like 1xx and 2xx series do not support auto-module.
When auto-module speed detection is enabled, the system reads information from the module and sets the port speed to the maximum speed that is advertised by the module. If the system encounters a problem when reading from the module, it sets the default speed (the default value is platform-specific).
When the auto-module sets the speed, the system creates a log entry noting this speed.
Note: Auto-speed detection is supported on 1/10G ports, but not on higher-speed ports (such as 40G).
- Another point to check is that some FortiSwitches do not support SFP+/10-Gig link and only support SFP (1Gig), so this FortiSwitch is connected to a higher-end FortiSwitch that supports SFP+, make sure that the speed is set to 1000auto or 1000full on both sides.
Check regarding SFP/SFP+ support in the switch QuickStart guide.
Hardware
- Configuring port speed:
Standalone switch:
S248E # config switch physical-port
S248E (physical-port) # edit port52
S248E (port52) # set speed
1000auto Auto-negotiation (1Gbps full-duplex only).
1000full 1Gbps full-duplex.
auto Auto-negotiation.
S248E (port52) # end
Managed Switch: (The below change is only for the switches which is authorized UP on the FortiGate).
FG200E (root) # config switch-controller managed-switch
FG200E (managed-switch) # edit <switch_serial#>
FG200E (switch_serial#) # config ports
FG200E (ports) # edit port52
FG200E (port52) # set speed
1000auto Auto-negotiation (1G full-duplex only).
1000full 1G full-duplex
auto Auto-negotiation.
FG200E (port52) # end
FG200E (switch_serial#) # end
-
Verify if the link comes up if the cables are connected back to back on the same FortiSwitch. For example: connecting a cable from port52 to port51 on the same FortiSwitch.
-
Collect the following outputs from both switches:
get switch modules detail <port#> <----- This command describes the transceiver.
Port(port10)
identifier SFP/SFP+
connector LC
transceiver 1000-Base-SX
encoding 8B/10B
Length Decode Common
length_smf_1km N/A
length_cable N/A
SFP Specific
length_smf_100m N/A
length_50um_om2 300 meter
length_62um_om1 150 meter
length_50um_om3 N/A
vendor
vendor_oid
vendor_pn
vendor_rev
vendor_sn
manuf_date
get switch modules limits <port#> <----- This command indicates at what limit, there will be an SFP alarm and warning raised.
For example, if the light inside the fiber cable is received (rx power) at a poor dBm value, i.e., greater than the limit shown in the alarm, then the SFP link will not come up.
In such scenarios, test with a different SFP module or fiber cable, or test on a different SFP port to segregate the source of the issue.
Port(port10)
Alarm || Warning
| High | Low || High | Low
temperature | 110.0000 | 216.0000 || 93.0000 | 226.0000 C
voltage | 3.6000 | 3.0000 || 3.5000 | 3.1000 V
laser_bias | 1.3000 | 0.1000 || 1.2500 | 0.2000 mA
tx_power | 0.0000 | -13.4969 || -2.9999 | -9.5001 dBm
rx_power | 0.4999 | -21.0237 || -1.0002 | -16.9897 dBm
get switch modules status <port#> <----- In this command, as an example, see that the rx_power is very poor -25dBm, which exceeds the alarm limit, so the link will not come up and the SFP port will show in the alarm state.
Port(port10)
temperature 37.886719 C
voltage 3.310100 volts
alarm_flags 0x0040
warning_flags 0x0040
laser_bias 0.654400 mAmps
tx_power -5.132862 dBm
rx_power -25.086384 dBm
options 0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status 0x000C ( RX_LOSS TX_POWER_LEVEL1 )
get switch modules summary <port#>
Portname State Type Transceiver RX Vendor Part Number Serial Number
__________ _______ _______ ____________ ___ ________________ ________________ ______________
port10 ALARM SFP/SFP+ 1000-Base-SX
Check the FortiSwitch logs to see if there is any alarm raised:
execute log filter view-lines 1000
execute log display
..
type=event subtype=link pri=critical vd=root user="admin" msg="Slot 0 Port 10, DMI_RX_POWER_LOW Alarm Raised"
diagnose switch physical-ports summary <port#> <- To check the port status.
Portname Status Tpid Vlan Duplex Speed Flags Discard
__________ ______ ____ ____ ______ _____ __________ _________
Port10 down 8100 1 full 1G , , none
diagnose debug report
show full-config
-
Make sure that the FEC state is negotiated properly.
FGT200E# diagnose hardware deviceinfo nic port13
...
link_fec :Off (0x2)
link_fec_cap :Off,RS,BaseR (0x1c) --> Reed-Solomon (FEC CL91).
- FSW # diagnose switch physical-ports list port1
...
Interface Type is Copper Reach (CR), FEC is Clause74 ---> Fire-Code (FEC CL74).
Note: To see LR4, SR4, and CR4 media types, the port speed needs to be set to 100Gfull.
See Technical Tip: Setting FortiGate port media type.
In some cases, FEC is disabled on the FortiGate interface while the FortiSwitch is trying to negotiate the FEC algorithm. With this setup, the fiber interface on the FortiGate and FortiSwitch will show as down. In this case, this can be set manually on both FortiSwitch and FortiGate interfaces, as shown below.
FortiOS:
config system interface
edit "portxx"
....
set forward-error-correction (cl74-fc-fec /cl91-rs-fec/disable)
...
next
end
FortiSwitch:
config switch physical-port
edit "portxx"
set fec-state (cl74/cl91/detect-by-module/disabled)
next
end
- Gather details like when and from where the module was purchased, take a picture of the SFP module, and the length of the cable, and feel free to contact support with all the above information for further assistance.
Related articles:
Additional steps for troubleshooting:
- Check whether SFP or SFP+ transceivers are used, and slots for SFP and SFP+ modules look exactly the same.
- Additionally, run the below commands to check the transceiver's status.
get sys interface transceiver
get sys interface transceiver <affected_port>
diagnose hardware deviceinfo nic <affected_port>
show system interface <affected_port>
As they are the same size, the SFP transceiver will fit seamlessly into an SFP+ switch port and vice versa.
However, the connection will not work as expected. Or, worse even, it will not work at all.
If an SFP device is plugged into an SFP+ port, the speed will be locked at 1 Gbps.
Plugging an SFP+ module into an SFP port delivers no results at all, as the 10G transceiver can never auto-negotiate to 1Gbps.
- Remove the SFP module. Inspect for physical damage to the connector, the module, and the module slot.
- Replace the SFP module with a known good SFP module if available.
- Try installing it in another SFP port if available to see if the problem persists or goes away. If it goes away, it could be an issue with the port on the firewall. In that case, create a TAC ticket and post the details.
- Check that the optic cable is in good shape.
Fiber optic cables are exceptionally vulnerable. Dust, dirt, or tampering might cause physical damage.
So, if there are problems when connecting devices, check the connector, the module, and the module slot to make sure they are not damaged.
To avoid physical damage, avoid extreme bends in fiber optic cables when storing them, and put dust caps on the cable ends if disconnected.
Replace the cable with a tested, known good cable if available.
Related article for configuring speed on SFP:
Troubleshooting Tip: Verify FortiGate Configuration for SFP Transceivers
