Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
riteshpv
Staff
Staff

Created on ‎05-29-2024 09:45 AM

Article Id 317964

Troubleshooting Tip: Unable to setup capture for port connected to FortiGate

Description This article describes why issues may be faced with setting capture on the FortiLink port connected to FortiGate.
Scope FortiSwitch (in FortiLink only).
Solution

This behavior is noticed on a FortiSwitch FortiLink trunk/port that is connected to FortiGate.
As shown below, the switch has a FortiLink trunk connection to the FortiGate on FortiSwitch port1.

 

sh switch trunk

config switch trunk

edit "G200E4Q16XXXXX"

set mode lacp-active
set auto-isl 1
set fortilink 1
set mclag enable
set members "port1"

next

end

 

When attempting to configure the mirror directly on this FortiSwitch, any of these errors may appear:

 

Error1: entry not found in datasource

=====

 

S248EFTF18XXXXXX # config switch mirror
S248EFTF18XXXXXX (mirror) # edit f1
new entry 'f1' added
S248EFTF18XXXXXX (f1) # set status active
S248EFTF18XXXXXX (f1) # set dst "port30"
S248EFTF18XXXXXX (f1) # set src-ingress "port1" <----------------------
entry not found in datasource


Error2: A source port is already in use as a member of dst "G200E4Q16XXXXX" of active mirror session "flink.sniffer".

=====

config switch mirror

edit f2

new entry 'f2' added

set dst port30
set src-ingress port1
set status active

end


A source port is already in use as a member of dst 'G200E4Q16XXXXX' of active mirror session 'flink.sniffer'.
object set operator error, -23 discard the setting
Command fail. Return code -23


Reason:

 

 

Note that the FortiSwitch would have been configured with RSPAN that is pushed from the FortiGate upon enabling the traffic sniffer.
Verify how the configuration is set up with regards to the RSPAN from FortiLink guide under Logging and monitoring. To configure FortiSwitch RSPAN:


An example featuring the FortiSwitch with the RSPAN config that will be pushed:

 

config switch mirror

edit "flink.sniffer"

set status active
set mode RSPAN-auto
set rspan-ip 1.1.1.1
set encap-vlan-id 4092

next

end


Solution:

  • Disable the RSPAN config from FortiGate so that it does not get pushed to FortiSwitch.
  • If this config is still seen, delete the mirror config manually from FortiSwitch:

config switch mirror
delete "flink.sniffer"

 

After deleting the config, it should be possible to configure the mirror for a FortiLink uplink directly on the FortiSwitch.
514
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.