We have an ISP providing us layer 2 to several sites via a QinQ tunnel. I have seen having an ISP in between devices is not supported for a L2 FortiLink; however, several people have had success doing so.
The issue is currently that FortiLink establishes for a small period of time if freshly factory reset and mgmt vlan settings are changed to 4094. This will establish the link, then FortiGate sends configs. After a while the CAPWAP tunnel goes down and the switch never comes back online.
FortiNet support mentioned this could be an STP issue, though they weren't willing to further investigate as the ISP devices may be playing a role. I confirmed via packet capture the only STP packets being received are that of the upstream FortiSwitch.
Any insight to how these setups are working, or configuration that assist this would be helpful! We are very close with the ISP, and they are always willing to work with us, so any insight to what they might be able to do is also appreciated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.