| Description | This article describes the errors observed on FortiGate when a FortiSwitch port is configured with allowed VLANs set to 'ALL'. |
| Scope | FortiSwitch v7.2 FortiGate (any version). |
| Solution |
FortiGate GUI option to set FortiSwitch port:
 Issue: On older versions, when FortiSwitch ports are configured with allowed VLANs = ALL, the following error will appear on FortiGate:
FortiGate# execute switch-controller get-conn-status
Managed-devices in current vdom root:
FortiLink interface : fortilink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME NAME
S108FPXXXXXXXX v7.2.7 (479) Authorized/Up E 172.17.2.2 Sat Aug 23 01:01:41 2025 -
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 3=L3
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 24)
FortiGate# execute switch-controller get-sync-status all
Managed-devices in current vdom root:
FortiLink interface : fortilink
SWITCH (NAME) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
S108FPXXXXXXXX Up Error - -
[1]
payload: { "json": { "discard-mode": "none", "allowed-vlans": "4093 4091 4090 4092 4089 4088 30 20 10 55 8 31 32 33 34 35 36 37 " } }
result : {
"http_method":"PUT",
"status":"error",
"http_status":400,
"vdom":"root",
"path":"switch",
"name":"interface",
"mkey":"port2",
"cmdb-index":"626",
"cmdb-checksum":"18090615568083149156",
"serial":"S108FPXXXXXXXX ",
"version":"v7.2.7",
"build":479,
"timestamp":"2025-08-22T13:49:38Z"
}
[2]
payload: { "json": { "discard-mode": "none", "allowed-vlans": "1 4093 4091 4090 4092 4089 4088 20 10 55 8 31 32 33 34 35 36 37 " } }
result : {
"http_method":"PUT",
"status":"error",
"http_status":400,
"vdom":"root",
"path":"switch",
"name":"interface",
"mkey":"port5",
"cmdb-index":"626",
"cmdb-checksum":"18090615568083149156",
"serial":"S108FPXXXXXXXX ",
"version":"v7.2.7",
"build":479,
"timestamp":"2025-08-22T13:49:39Z"
}
On the FortiSwitch, running debug while applying VLANs shows the indication (-9999), which means the configuration is not saved:
S108FPXXXXXXXX # diagnose debug cli 8
S108FPXXXXXXXX # diagnose debug enable
S108FPXXXXXXXX # 0: config switch physical-port
0: edit "port2"
0: unset link-status
0: end
0: config switch interface
0: edit "port2"
0: unset allowed-vlans
0: set allowed-vlans 8,10,20,30-37,55,4088-4093
-9999: end
0: config switch physical-port
0: edit "port3"
0: unset link-status
0: end
0: config switch interface
0: edit "port3"
0: unset allowed-vlans
0: set allowed-vlans 8,10,20,30-37,55,4088-4093
0: end
0: config switch interface
0: edit "port3"
0: config port-security
0: end
0: end
0: config switch physical-port
0: edit "port5"
0: unset link-status
0: end
0: config switch interface
0: edit "port5"
0: unset allowed-vlans
0: set allowed-vlans 1,8,10,20,31-37,55,4088-4093
-9999: end
Observation:
This issue occurs when the configuration is applied on FortiSwitch ports where RPVST+ is enabled.
Note: If 'ALL' is set on ports without RPVST+, the VLAN configuration is pushed successfully.
Example (problematic config):
S108FPXXXXXXXX # show switch interface port5
config switch interface
edit "port5"
set native-vlan 30
set allowed-vlans 1,8,10,20,31-34,55,4088-4093
set untagged-vlans 4093
set rpvst-port enabled
set auto-discovery-fortilink enable
set snmp-index 5
next
Root Cause:
In FortiSwitch v7.2.7, ports with RPVST+ enabled are limited to 16 VLANs. Refer to the v7.2.7 administration guide.
Resolution:
|
