Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎11-12-2024 05:50 AM

Article Id 357151

Troubleshooting Tip: Unable to push new configurations to managed FortiSwitch after configuration changes

Description This article describes an issue encountered where configuration changes fail to push to a managed FortiSwitch after changing the HTTPS port on the FortiSwitch.
Scope FortiSwitch version v7.2 v7.4 v7.6.
Solution

Basic Understanding:

  • FortiSwitch devices can be managed by FortiGate, FortiSwitch Manager, or FortiCloud.
  • Management occurs over the internal interface (if using in-band management) or the management port (out-of-band management).
  • Access to manage FortiSwitch can also be set up via a Layer 3 interface (switch-virtual-interface (SVI)) or a dedicated management port.
  • The default management access uses HTTPS on port 443 and SSH on port 22.

 

Requirement: In some cases, security policies may require using non-standard ports for HTTPS (e.g., 4443 instead of 443).

 

Configuration Change: To change the HTTPS port, run the following command directly on a FortiSwitch to apply the configuration globally:

 

config system web
    set https-port 4443
end

 

After this change, FortiSwitch management (internal/SVI/management) becomes accessible only on the new HTTPS port (for example: 4443).

 

Consequence:

  • Applying this configuration causes synchronization issues for managed FortiSwitches, preventing any new configurations from being pushed by the manager.
  • On FortiGate/FortiSwitch Manager, this may show in results as a config sync (C/3C) or config sync error (E) flag.

Example FortiGate Command: Use the following command to review connection status:

 

Fortigate # execute switch-controller get-conn-status

SWITCH-ID        VERSION         STATUS       FLAG  ADDRESS          JOIN-TIME             SERIAL
S248EFTF1XXXXXX   v7.4.0 (767)  Authorized/Up  3C   1.1.1.4    Wed Nov 6 18:52:29 2024 S248EFTF1XXXXXX

 

Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External

In debug logs on FortiGate, the sync error will be evident:

 

Debug command:

 

diagnose debug console timestamp enable
diagnose debug application flcfgd -1
diag debug enable

 

Example Error Message:

 

2024-11-12 16:00:33 396s:793ms:160us flcfg_remove_msw_sync_errors[1143]:No file /tmp/switch-controller/error-log/S248EFTF1XXXXXX to remove.

 

This error occurs because the manager, by default, uses port 443 (HTTPS) to push configurations to the managed FortiSwitch and cannot use a custom port (for example, port 4443), even if it is configured directly on the FortiSwitch.

 

Resolution:

  • Do not change the default HTTPS port when the FortiSwitch is managed. Reset the HTTPS port to the default as follows:

 

config system web
    set https-port 443
end

 

For more information on the protocols used to manage FortiSwitch, refer to Management-Protocols-for-FortiSwitch-discovery.
109
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.