Good morning. We have a site that is very tiny and pretty straight forward. One FW 81E and two FS 248 E_FPOE.
A third switch in the mix is an older Cisco 2960. Everything was working fine for years (and yes new equipment for the site have been ordered). Friday morning I get a call that this site is down. Logged into the FW and Fortiswitches are showing offline - both MDF and IDF. FW version was 6.0.4 (GA) and switches were 6.0.2. [we update firmware as needed when alerted]
Logs showed a CAPWAP entry for both switches. Opened TAC ticket and after TS had to issue RMA on the devices. In the meantime pulled a spare unused 248E-FPOE off the shelf and installed it. Was a newer firmware version I think 7.0.12. Amazingly port configs for the most part moved over. Updated FW to 7.0.13. Just to be sure all equipment was relatively close in versions. Quite a difference between versions tbh.
Long story short. With minor tweaking, cleaned up a few things - and anyone off of the MDF was working.
With the exception of the link to this Cisco 2960. The port shows up, logs show traffic being sent to the Cisco but there is 0 return traffic. Nothing has changed on the Cisco. Port configs on the FS seem to be exactly as they should be so we're scratching out heads. I have opened a TAC ticket but since this is a 24/7 facility I thought posting here might generate some ideas. Vlan 1 is native on both ends with four additional vlans allowed. I do not know what else to look at on the FS to TS why now this link will not work when it has worked for years.
Any thoughts much appreciated.
TCM
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Hi AEK. Went straight from 6.0.4 to 7.0.13 on the FW. The replacement 248E already had 7.0.12 - the old one was 6.0.2. The cabling between buildings is on MMF, plugged into the FS. I can get you FS configs - working on the Cisco configs now. Cisco is L2
The configs below are pretty much exactly as they were before swapping out the bad FS and updating the FW. Much appreciated for the response.
edit "port51"
set speed 1000full
set rpvst-port enabled {I added this to just mess around with anything}
set vlan "vsw.port12"
set allowed-vlans "VLAN 150" "VLAN-200" "VLAN-205" "VLAN-209"
set dhcp-snooping trusted
set export-to "root"
set mac-addr d4:76:a0:4b:4c:3c
set description "toPatrolBuilding"
next
The port on C2960 could be errdisabled. If it's a 24/7 facility like a datacenter, I would get a remote hand to log in to the Catalyst to check what's going on the Catalyst side.
Toshi
Hey Toshi. Thanks for the reply. We are working on getting hands on this old unit. Last update I got from an employee on site was no link activity on the port - no LED period.
Hello @whozitsdad
There could be many reasons why the port is set to errdisabled, but I am thinking that you have already done lots of troubleshooting. Some common reasons are as follows:
- check cable (try to change, if possible)
- Duplex settings on both sides.
- BPDU guard violation
- collision detections
- check GBIC (SFP) module or cable.
There could be many other factors, but these are some common ones. If you have a syslog server configured then you can check old logs, they might give some insight of the issue.
regards,
Sheikh
Hi Sheikh and thank you for responding. We will look at some of your suggestions, however this was operational (for many years) up until we swapped out the FS 248E (same model) and updated the Fortigate firmware. I was wondering what may have changed in newer firmware version and/or what didn't the Cisco not like.
We are going to double check configs on Cisco for comparison but the Cisco switch sits in a secured, locked closet and I couldn't tell you the last time we even touched it. At least three years ago. We have never had any loop, STP, connectivity issues before until Friday.
So my question still remains, is there something in the Firmware between 6.0.2 and 7.0.12 on teh switch, that is not liked or needs tweaking? I have fiddled with port configs on the FS port that links to the cisco without any luck. We are going to check to see if the Cisco port is in error. Fingers crossed, I hope that is all it is.
We plan on testing the optics and light tomorrow. for the run in question. it's a very short run.
Will update ticket as we complete advice from y'all.
Terry
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.