Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎06-18-2025 08:01 AM

Article Id 397013

Troubleshooting Tip: STP State Randomly Disabled on FortiLink Trunk Ports

Description This article explains a scenario where the STP state is intermittently disabled on FortiLink trunk ports that has MCLAG enabled, and outlines how to identify and correct this behavior.
Scope FortiSwitch in Managed Mode, versions 7.2, 7.4, 7.6.
Solution

topology.jpg

 

Refer to the above topology, where the FortiLink interface is configured as an aggregate (using ports x1 and x2).

 

Note: STP is disabled by default on the FortiLink trunk (G200E4Q16900196) connecting to the FortiGate.

 

In some cases, the STP state is observed to be randomly disabled on FortiLink trunks or trunks configured with MCLAG.

 

For example, consider the following trunk configuration on FortiSwitch S448DF3XXXXXX305:


config switch trunk
    edit "G200E46XXXXX196"
        set mode lacp-active
        set auto-isl 1
        set fortilink 1
        set members "port45"
    next
    edit "_FlInK1_ICL0_"
        set mode lacp-active
        set auto-isl 1
        set mclag-icl enable
        set members "port42"
    next
    edit "8EFTFXXXXX075-0"
        set mode lacp-active
        set auto-isl 1
        set mclag enable    <------------------
        set static-isl enable
        set members "port44"
    next
edit "PO3"
set mode lacp-active
set mclag enable    <---------------------
set members "port41"
next
end


To verify the config regarding STP state for MCLAG-enabled trunks, use the following command on the FortiSwitch:


show full-configuration switch interface <trunk-name> | grep -B 12 stp-state


config switch interface
    edit "8EFTFXXXXX075-0"
    ...
        set stp-state enabled
            config switch interface
                edit "PO3"
                ...
                    set stp-state enabled


Despite STP being enabled in the configuration, logs indicate that the STP state was disabled unexpectedly:

 

execute log display


2025-06-19 02:09:13 log_id=0105008251 type=event subtype=spanning_tree pri=notice
vd=root user="admin" userfrom="ssh(1.1.1.1)" unit="primary" switch.interface="PO3"
event="stp disabled on interface" msg="user admin disabled STP on primary interface PO3"

 

2025-06-19 02:09:13 log_id=0105008251 type=event subtype=spanning_tree pri=notice
vd=root user="admin" userfrom="ssh(1.1.1.1)" unit="primary" switch.interface="8EFTFXXXXX075-0"
event="stp disabled on interface" msg="user admin disabled STP on primary interface 8EFTF18000075-0"

 

Note: The same can be verified by FortiGate: Viewing event logs.


Root Cause:

This behavior occurs when mclag-stp-aware is disabled on the MCLAG-ICL peer FortiSwitches. By default, this setting is enabled on FortiSwitches forming the MCLAG-ICL pair.

 

To verify the current setting:


show full-configuration switch global


config switch global
    set mclag-stp-aware disable
end


Resolution:


Ensure mclag-stp-aware is enabled on the MCLAG-ICL peer switches.


config switch global
    set mclag-stp-aware enable
end


Additionally, verify whether this setting is being overridden via configuration pushed from the FortiGate (for example, through custom-commands) or modified by external sources. If this was disabled unintentionally, re-enable the setting as shown above.
894
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.