Troubleshooting Tip: SFP/SFP+ transceivers port/fiber link is not coming up

sachitdas_FTNT · ‎10-05-2020

Description

This article describes steps to perform when SFP/SFP+ fiber link is not coming up.

Scope

FortiSwitch and FortiGate.

Solution

Things to check if SFP/SFP+ link is not coming up.

Ensure that a compatible transceiver is used.
Download the file 'Compatible Transceivers' from the below link OR contact support to verify if the transceiver is supported or not.
FortiSwitch - Compatible Transceivers
Try to set the speed setting manually on both sides.

For example, some higher-end switch models will have speed set to 'auto-module' by default on the SFP/SFP+ ports whereas lower-end models like 1xx, and 2xx series do not support auto-module.

When auto-module speed detection is enabled, the system reads information from the module and sets the port speed to the maximum speed that is advertised by the module. If the system encounters a problem when reading from the module, it sets the default speed (default value is platform-specific).

When the auto-module sets the speed, the system creates a log entry noting this speed.

Note: Auto-speed detection is supported on 1/10G ports, but not on higher-speed ports (such as 40G).

Another point to check is that some FortiSwitches do not support SFP+/10-Gig link and only support SFP (1gig), so this FortiSwitch is connected to a higher-end FortiSwitch that supports SFP+, make sure that the speed is set to 1000auto or 1000full on both sides.
Check regarding SFP/SFP+ support in the switch quickstart guide.
Hardware
Configuring port speed:
Standalone Switch:

S248E # config switch physical-port

S248E (physical-port) # edit port52
S248E (port52) # set speed

1000auto    Auto-negotiation (1Gbps full-duplex only).
1000full    1Gbps full-duplex.
auto        Auto-negotiation.

S248E (port52) # end

Managed Switch: (The below change is only for the switches which is authorized UP on the FortiGate).

FG200E (root) # config switch-controller managed-switch
FG200E (managed-switch) # edit <switch_serial#>
FG200E (switch_serial#) # config ports
FG200E (ports) # edit port52
FG200E (port52) # set speed
1000auto    Auto-negotiation (1G full-duplex only).
1000full    1G full-duplex
auto        Auto-negotiation.

FG200E (port52) # end
FG200E (switch_serial#) # end

Verify if the link comes up if the cables are connected back to back on the same FortiSwitch. For example: connecting a cable from port52 to port51 on the same FortiSwitch.
Collect the below outputs from both switches:

get switch modules detail <port#> <----- This command describes the transceiver.

Port(port10)
identifier       SFP/SFP+
connector        LC
transceiver      1000-Base-SX
encoding         8B/10B
Length Decode Common
length_smf_1km N/A
length_cable    N/A
SFP Specific
length_smf_100m N/A
length_50um_om2 300 meter
length_62um_om1 150 meter
length_50um_om3 N/A
vendor
vendor_oid
vendor_pn
vendor_rev
vendor_sn
manuf_date

get switch modules limits <port#>      <----- This command indicates at what limit, there will be an SFP alarm and warning raised. For example: if the light inside the fiber cable is received (rx power) at poor dbm value i.e. greater than the limit shown in the alarm, then the SFP link will not come up.

In such scenarios, test with a different SFP module or fiber cable or test on a different SFP port to segregate the source of the issue.

Port(port10)
                     Alarm        ||       Warning
            |   High   |   Low    ||   High   | Low
temperature | 110.0000 | 216.0000 || 93.0000 | 226.0000 C
voltage     |   3.6000 |   3.0000 ||   3.5000 |   3.1000 V
laser_bias |   1.3000 |   0.1000 ||   1.2500 |   0.2000 mA
tx_power    |   0.0000 | -13.4969 || -2.9999 | -9.5001 dBm
rx_power    |   0.4999 | -21.0237 || -1.0002 | -16.9897 dBm

get switch modules status <port#>    <----- In this command, as an example, see that the rx_power is very poor -25dbm which exceeds the alarm limit, so the link will not come up and the SFP port will show in the alarm state.

Port(port10)

temperature      37.886719 C
voltage          3.310100 volts
alarm_flags      0x0040
warning_flags    0x0040
laser_bias       0.654400 mAmps
tx_power         -5.132862 dBm
rx_power         -25.086384 dBm
options          0x000F ( TX_DISABLE TX_FAULT RX_LOSS TX_POWER_LEVEL1 )
options_status   0x000C ( RX_LOSS TX_POWER_LEVEL1 )

get switch modules summary <port#>

Portname   State    Type       Transceiver    RX Vendor           Part Number      Serial Number
__________ _______ _______    ____________   ___ ________________ ________________ ______________
port10     ALARM   SFP/SFP+    1000-Base-SX

Check the FortiSwitch logs to see if there is any alarm raised:

execute log filter view-lines 1000
execute log display
..
                     type=event subtype=link pri=critical vd=root user="admin" msg="Slot 0 Port 10, DMI_RX_POWER_LOW Alarm Raised"

diagnose switch physical-ports summary <port#>    <----- To check the port status.

Portname    Status Tpid Vlan Duplex Speed Flags       Discard
__________ ______ ____ ____ ______ _____ __________ _________

Port10       down    8100 1     full    1G       , ,      none

diag debug report
show full-config

Make sure that the FEC state is negotiated properly.

FGT200E# diagnose hardware deviceinfo nic port13
...
link_fec :Off (0x2)
link_fec_cap :Off,RS,BaseR (0x1c) --> Reed-Solomon (FEC CL91).

FSW # diagnose switch physical-ports list port1
...
Interface Type is Copper Reach (CR), FEC is Clause74 ---> Fire-Code (FEC CL74)

FEC can also be set manually on FortiSwitch and FortiGate as shown below.

FortiOS:

config system interface
edit "portxx"
....
set forward-error-correction (cl74-fc-fec /cl91-rs-fec/disable)
...
next
end

FortiSwitch:

config switch physical-port
edit "portxx"
set fec-state (cl74/cl91/detect-by-module/disabled)
next
end
Gather details like when and from where the module was purchased, take a picture of the SFP module, and the length of the cable, and feel free to contact support with all the above information for further assistance.

Related Articles:

Technical Tip: Port speed configuration for DAC (Direct Attach Copper) cable

Technical Tip: Recommended Port speed configuration for SR (short range) SFP cable

Technical Tip: Recommended port speed configuration when using copper SFP module 1000-Base-T

Additional steps for troubleshooting:

Check whether SFP or SFP+ transceivers are used and slots SFP and SFP+ modules look exactly the same.

As they are the same size, the SFP transceiver will fit seamlessly into an SFP+ switch port and vice versa.

However, the connection will not work as expected. Or, worse even, it will not work at all.

If an SFP device is plugged into an SFP+ port, the speed will be locked at 1 Gbps.

Plugging an SFP+ module into an SFP port delivers no results at all, as the 10G transceiver can never auto-negotiate to 1Gbps.

Remove the SFP module. Inspect for physical damage to the connector, the module, and the module slot.
Replace the SFP module with a known good SFP module if available.
Try installing it in another SFP port if available to see if the problem persists or goes away. If it goes away, it could be an issue with the port on the firewall. In that case, please create a TAC ticket and post the details.
Is the optic cable in good shape?

Fiber optic cables are exceptionally vulnerable. Dust, dirt, or tampering might cause physical damage.

So, if there are problems when connecting devices, check the connector, the module, and the module slot to make sure they’re not damaged.

To avoid physical damage, avoid extreme bends in fiber optic cables when storing them and put dust caps on the cable ends if disconnected.

Replace the cable with a tested known good cable if available.

Related Article for configuring speed on SFP:

Troubleshooting Tip: Verify FortiGate Configuration for SFP Transceivers