3/11/2024: I've made some progress and have updated my original post below as needed. Thank you very much, @Anthony_E, for continuing to look for support!
I know this topic has been covered, but I need help. I have a fortiswitch in a separate building from the main firewall and switch. I am trying to connect to that switch via fortilink, but each time I enable the fortilink-p2p on the REMOTE switch ports, my AP's go into a reboot cycle. Here's my configuration:
FG100F(port12) <-> (port23 via fortilink)Fortiswitch(port 7) <-> FAP432F <-> FAP432F <-> (port2)Fortiswitch(port3) <-> client
The VLAN for the APs is 10.
The VLAN for the client is 20.
Following these guides...
Technical Tip: FortiLink over P2P wireless bridge/... - Fortinet Community
FortiSwitch FortiSwitch Devices Managed by FortiOS 7.0 (fortinetweb.s3.amazonaws.com)
Fortilink Managed Switches over Wireless P2P Bridge – J's Stuff (jsstuff.com)
...I have done the below:
Remote switch:
# set fortilink-p2p-native-vlan 10 (I used VLAN 10 because that is the VLAN for the AP's)
# set fortilink-p2p enable on port2 of the switch
Remote (LEAF) AP:
# cfg -a MESH_ETH_BRIDGE=1
# cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094
# cfg -c
Main switch:
# set fortilink-p2p enable on port7 of the switch. The APs go into their reboot loops after I set this.
Questions:
1. Am I supposed to run set fortilink-p2p-native-vlan 10 on BOTH switches? If yes, how will that affect the existing fortilink connection that switch has with firewall? Already found this answer, it is yes.
2. Do I have to run the AP commands (cfg -a ... ) on the ROOT AP as well as the leaf? The guide does not mention the ROOT AP. The cfg -a MESH_ETH... commands mentioned above are not available until you convert your AP into a LEAF AP using cfg -a MESH_TYPE=1. If I do that, then I lose the ROOT AP. You can't have a MESH system without a ROOT. More on this below.
3. What am I missing?
***Today, 3/11/2024, I believe I've narrowed down the problem to the remote switch. I've worked with Fortinet Support who validated my configuration on all the devices. The problem I'm having is that as soon as I enable set fortilink-p2p enable on both switches, the APs start cycling. The ROOT AP will reset, as will the LEAFs. It will take several minutes for the ROOT to recover, a few more minutes for one or both LEAF APs to recover (there are 2 LEAFs total in this infra, but only one has a switch behind it). As soon as the LEAFs go green, the ROOT resets again, and then the LEAFs, rinse and repeat. I started eliminating variables and this is what I've found.
1. I can fully configure the firewall, main switch, and all APs and the wifi will not be affected. Here is the config.
Firewall
set switch-controller-source-ip fixed (setting suggested by Fortinet support)
set fortilink-p2p-native-vlan 200
set fortilink-vlan-optimization enable
Main Switch
set mgmt-vlan 4094 (default setting?)
set fortilink-p2p enable (on port7)
LEAF APs
cfg -a MESH_ETH_BRIDGE=1
cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094
2. After a factory reset of the REMOTE switch, the mgmt-vlan is set to 1 vice 4094. It needs to be set to 4094. The problem is, as soon as I set it to 4094, I lose direct access to the switch. I do not have physical access to the switch. I have a helper on site who connected a spare laptop to the switch on port 1. I remote into that spare laptop to configure the switch. As soon as I set mgmt-vlan 4094, I lose access. I cannot ssh back in using ssh admin@192.168.1.99. Does the IP change? The only option I have is to have my helper do a factory reset, which changes the mgmt-vlan back to 1. Fortinet Support says that has to be 4094. Can I simply change the mgmt-vlan to 1 for all devices?
I think my only option at this point, without traveling to the site and connecting via the console port for more debugging, is to configure and manage this switch as a standalone unit. What are your thoughts??
Thank you for your time and assistance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
After spending the entire day yesterday trying to get a fortiswitch enginner to assist me, I finally have the missing part. The engineer told me that the Fortinet article https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-over-P2P-wireless-bridge-mesh/... is actually outdated and it is missing a key piece of information. One needs to add "set static-isl enable" on the trunk that is formed to the new switch like so:
"config switch trunk
edit "2DPTD2300xxxx-0"
set auto-isl 1
set static-isl enable
set members "port6"
next
end"
Once you add that line, the remote switch that sits over the p2p bridge will come up online and STP will no longer interfere and block it.
I really hope fortinet will update that article..
UPDATE June 10 2024: Good news, the article linked above has been updated. There is another very import fact that needs to be taken into account. Both FortiAP units need to be running 7.2.2 as it is the only internally certified version to work in Mesh mode with P2P transparent bridge. Just keep in mind that as soon as you update your leaf AP to 7.2.2 and configure it to run as a transparent mesh, it will no longer be managed by the FortiGate. No clue how to fix this yet and I don't have time to investigate. But it does work.
Hello Shawn,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Shawn,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hi Shawn,
I saw your update and will transfer it to one of our experts :)!
Regards!
Thank you for actively finding folks to help me. I really appreciate it!!
Hi Shawn,
I recommend you work with TAC for the FAP crashing issue, this needs to be investigated.
Standalone mode could be an option..
Stupid question, is TAC different from the normal Fortinet Support channels?
I need to get this up and running asap so I'm going down the standalone path. Next time I'm on site I will investigate further.
Thank you!
Hi Shawn,
It's the same thing. You can call us and raise a ticket.
https://fortinet.com/support-and-training/support/contact.html
Shawn did you ever figure this out we have the exact same problem. When configuring the leaf switch in standalone mode the mesh wifi stays up. The second we configure fortilink it crashes the APs with the exact same behavior.
I was never able to make it work. I changed the infrastructure and removed the switch. I simply connected the endpoint directly to the AP then adjusted the firewall and VLAN rules. this works for us because I have only one hardwired endpoint on this AP.
I apologize for the delay in replying, I didn't see your question back in April. Did you ever find a solution to use the switch??
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.