Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
whozitsdad
New Contributor II

FortiSwitch Link To Cisco Switch Not Working After Upgrade

Good morning.  We have a site that is very tiny and pretty straight forward.   One FW 81E and two FS 248 E_FPOE.

A third switch in the mix is an older Cisco 2960.  Everything was working fine for years (and yes new equipment for the site have been ordered).  Friday morning I get a call that this site is down.  Logged into the FW and Fortiswitches are showing offline - both MDF and IDF.  FW version was 6.0.4 (GA) and switches were 6.0.2.  [we update firmware as needed when alerted]

Logs showed a CAPWAP entry for both switches.   Opened TAC ticket and after TS had to issue RMA on the devices.  In the meantime pulled a spare unused 248E-FPOE off the shelf and installed it.  Was a newer firmware version I think 7.0.12.  Amazingly port configs for the most part moved over.   Updated FW to 7.0.13.  Just to be sure all equipment was relatively close in versions.  Quite a difference between versions tbh.

 

Long story short.  With minor tweaking, cleaned up a few things - and anyone off of the MDF was working.

With the exception of the link to this Cisco 2960.  The port shows up, logs show traffic being sent to the Cisco but there is 0 return traffic.   Nothing has changed on the Cisco.  Port configs on the FS seem to be exactly as they should be so we're scratching out heads.  I have opened a TAC ticket but since this is a 24/7 facility I thought posting here might generate some ideas.    Vlan 1 is native on both ends with four additional vlans allowed.  I do not know what else to look at on the FS to TS why now this link will not work when it has worked for years.

Any thoughts much appreciated.

TCM

 

6 REPLIES 6
AEK
Honored Contributor II

Hello

  • Did it stop working after you upgraded from 6.0.x to 7.0.12 or after you updated from 7.0.12 to 7.0.13?
  • Is the Cisco switch connected to FGT or to FSW?
  • What is the link type between Cisco and Fortinet device? Can you share port config of both ends?
  • Is Cisco switch configured L2 or L3?
AEK
AEK
whozitsdad
New Contributor II

Hi AEK.   Went straight from 6.0.4 to 7.0.13 on the FW.  The replacement 248E already had 7.0.12 - the old one was 6.0.2.   The cabling between buildings is on MMF, plugged into the FS.   I can get you FS configs - working on the Cisco configs now.   Cisco is L2

The configs below are pretty much exactly as they were before swapping out the bad FS and updating the FW.   Much appreciated for the response.

 

edit "port51"
set speed 1000full
set rpvst-port enabled  {I added this to just mess around with anything}
set vlan "vsw.port12"
set allowed-vlans "VLAN 150" "VLAN-200" "VLAN-205" "VLAN-209"
set dhcp-snooping trusted
set export-to "root"
set mac-addr d4:76:a0:4b:4c:3c
set description "toPatrolBuilding"
next

Toshi_Esumi
Esteemed Contributor III

The port on C2960 could be errdisabled. If it's a 24/7 facility like a datacenter, I would get a remote hand to log in to the Catalyst to check what's going on the Catalyst side.

 

Toshi

whozitsdad

Hey Toshi.  Thanks for the reply.  We are working on getting hands on this old unit.  Last update I got from an employee on site was no link activity on the port - no LED period.

Sheikh
Staff
Staff

Hello @whozitsdad 

 

There could be many reasons why the port is set to errdisabled, but I am thinking that you have already done lots of troubleshooting. Some common reasons are as follows:

 - check cable (try to change, if possible)

 - Duplex settings on both sides.

 - BPDU guard violation

 - collision detections

 - check GBIC (SFP) module or cable.

 
There could be many other factors, but these are some common ones. If you have a syslog server configured then you can check old logs, they might give some insight of the issue.

 

regards,

 

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
whozitsdad
New Contributor II

Hi Sheikh and thank you for responding.  We will look at some of your suggestions, however this was operational (for many years) up until we swapped out the FS 248E (same model) and updated the Fortigate firmware.   I was wondering what may have changed in newer firmware version and/or what didn't the Cisco not like.

 

We are going to double check configs on Cisco for comparison but the Cisco switch sits in a secured, locked closet and I couldn't tell you the last time we even touched it.   At least three years ago.   We have never had any loop, STP, connectivity issues before until Friday.

 

So my question still remains, is there something in the Firmware between 6.0.2 and 7.0.12 on teh switch, that is not liked or needs tweaking?  I have fiddled with port configs on the FS port that links to the cisco without any luck.   We are going to check to see if the Cisco port is in error.   Fingers crossed, I hope that is all it is.

 

We plan on testing the optics and light tomorrow. for the run in question.  it's a very short run.
Will update ticket as we complete advice from y'all.

Terry

Labels
Top Kudoed Authors