Hi, Having a little difficulty with this, I have a FortiAP plugged into a CISCO 3750, port is trunked with native VLAN 50 , LLDP is enabled. Cisco is connected to another Cisco 9K , vlan 50 trunked and LLDP enabled there also. Fortigate (7.0.14) has a Layer 3 Aggregate inteface connected to the Cisco 9K, no issues there.
In order to get the AP MGMT, I created an SVI 50, with DHCP etc, and put it behind the Agg Layer 3, this is where I think there is a problem, I allow ALL traffic for now, but the AP will not come online, simply says "no LLDP neighbours found"
if I do "diagnose lldprx neighhour" you can see the Cisco 9K, and the Cisco 9K can see the 3750 as an LLDP neighbour, so not sure why the AP cannot get to the SVI on the Fortigate, I did notice on the SVI you cannot set "recieve LLDP" or "Transmit LLDP" the option isnt there..
I have enabled security fabric, you can see the AP MAC on the cisco switches on VLAN 152..any suggestions where I have made a silly mistake??
THankyou
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ok I missed one post when I went to grab food for lunch. So the SW 9K is not extending the VLAN ID 50 from the FGT toward the FAP? Then DHCP on the FGT would never work for the FAP. It has to be on the same L2 network. You have to set DHCP server on the switch where FAP is connected to it via L2 network.
By the way, any FGTs don't support SVI. The vlan interface you configured on LAG interface to the 9K SW is just a subinterface of the LAG. Similar to the good old Cisco 25xx/26xx routers subinterfaces.
To verify L2 connectivity between the FGT to the switches, you can configure L3 interface on SVI (this is an SVI) on those switch then test with ping each other. If those works through the FGT-9K-3750, L2 connectivity should be there. Then needs to suspect the FAP side.
I'm assuming you're using the default config on the FAP so it's trying to pull IP via DHCP over the L2 network you just confirmed.
You can set up a mirror port on the 3750 to sniff what's going on between the FAP and the 3750.
Toshi
I have created an SVI with an IP in the same range, and no ping is not working, which is bizarre as there is a path all the way through! if I take off the SVI the switch can reach the L3 interface on the Fortigate by using its MGMT ip! so im lost now!
Did you see those ping packets coming from the switch and arriving at the VLAN interface on the FGT in "diag sniffer packet <the_vlan_interface>"?
bizzarelly no! but it does ping from the switch! most odd
Are you saying ping from SW to FGT works, but opposite direction doesn't work? Or somehow both directions started working?
I would still make sure those packets with "diag sniffer" on the vlan interface. Then check the FAP port with mirroring.
Toshi
The switch itself (mgmt ip) can ping the Fortigate interface that does the DHCP for the APs, but an SVI on the same subnet as the Fortigate interface cannot. i cannot see any icmp traffic on the fortigate interface
please share us the VLAN subinterface config on the FGT in CLI under "config system interface" then "edit <vlan_interface_name>", and then "show".
config system interface
edit "FortiAP-MGMT"
set vdom "root"
set ip 10.10.50.1 255.255.255.0
set allowaccess ping https ssh snmp http fabric
set device-identification enable
set role lan
set snmp-index 40
set auto-auth-extension-device enable
set interface "INSIDE"
set vlanid 50
next
end
Then when you run "diag sniffer packet FortiAP-MGMT 'net 10.10.50.0/24' 4 0 l" (the last letter is lower-case_'L') then pinged 10.10.50.1 from the switch SVI, you didn't see anything in the sniffing?
And then you opened another session for SSH and run "exe ping 10.10.50.x" (SW SVI's IP), you didn't see anything in the sniffing?
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.