Hi
I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.
My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.
FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.
+-----------+ +-----------+ +---------+
| +--------------+ | | |
WAN +-------+ 40F | TRUNK | 124E +--------------+ MAC |
| +--------------+ | | |
+-----------+ +-----------+ +---------+
The error messages are as follows:
primary switch port port20 has gone down
primary port port20 instance 0 changed role from designated to disabled
primary port port20 instance 0 changed state from forwarding to discarding
primary switch port port20 has come up
primary port port20 instance 0 changed role from disabled to designated
What I have tried so far:
The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time
Any ideas for further debugging?
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I don't think the spanning tree messages are anything more than the normal changes to STP state when the port goes down and up. How do you recover, do you enable the port again from the software or unplug it?
The only other item I could think of is if you have not tested it, disable Edge Port on port20. If the port is going up and down constantly or numerous times in a minute, you may also want to test the physical cables to verify they are good.
Thank you, distillednetwork. I should have mentioned that I also changed the physical ports on the switch and the cable already. The port is usually back online after a couple of seconds by itself. Sometimes only to be switched off again directly...
I'm not sure if I had already disabled Edge Port, but felt that I had already tried every setting imaginable. I have now disabled all features once and observe what happens.
The logs still show up and the port gets disabled. Absolutely no security features (STP) are active on the port at the moment.
Any ideas?
Hi,
From what I understand is the issue specific to Macbook? Do other devices like windows laptops also witness the same problem?
Created on 01-03-2023 02:53 AM Edited on 01-03-2023 02:53 AM
Hi Sachit
Thanks for your reply.
It almost looks like that's a common factor. The problem occurs on my Macmini (personal) as well as on my Macbook Pro (business). However, I don't have any other desktop PCs that I use (except a virtualized Windows desktop, which I start only every few weeks). Everything else are servers (Linux).
I had already switched off WiFi on the devices, as I suspected a roaming problem. All without success.
Do you know of any other such problems with macOS?
Best,
Donnie
Created on 02-17-2023 04:09 PM Edited on 02-17-2023 04:16 PM
Hi Donnie,
We are experiencing the same issue. However, it is happening with our FortiAPs, and any other kinds of devices we plug into the switches. The infrastructure is quite bigger than yours, but the problem is the same. It seems to be random. Sometimes Port2, or 5, 8, whatever, goes down then up, then down, up, etc, with the critical fact that when this happens on a port where an AP is, it makes the AP goes down and you can imagine the problem, as we have to wait for 5-6 mins to get the WiFi service back.
The same, we have disable, enable, combined, prayed, anything you can imagine to try identify what is the root of the problem. Even if it is a Bug, we have trying to catch what we have to disable/enable to get it fixed, at least until Fortinet decides to make it work properly.
We still receive messages on the Switch logs pointing a STP issue despite it has been completely disable (at least that's what it shows, even though it could or definetly is still running behind scenes).
Our infrastructure is big but simple. Actually, we don't need at all the STP protocol as we only have one possible path to each network, and so it is impossible to have a loop risk or whatsoever. At this desperate/frustration stage, if we could erradicate/purge the entire trace of the STP protocol from the Fortigate, we would do it.
Finally, it is good to mention we are on the Top of the current OS versions (7.2.4 on the Fw, 7.2.3 on the Switches, and 7.2.3 if I remember well, on the FortiAPs). Today, there is no possible newer version to upgrade any device in the infrastructure.
We used to love Fortinet and have several buildings with it, but this last building, we bet all on them, Firewall, Switches, APs, Full Licenses, etc, and all the project has been just a terrible mess. Before, we used to combine some brands, Fortinet at the top of the network with the Firewall, then HP Aruba switches, and finally, Ubiquiti/Huawei/Cisco APs... More complex to manage, of course, but Smooooooth. Nothing to do with this mess... It is a shame, we have open a case directly with Fortinet, requested support from one of our sellers/providers, do everything you can imagine, and still strugling with this since 3-4 months ago. We are about to return or drop 26 Fortiswitches and go back to the Arubas and the normal and ordinary VLAN/Trunking/Tag configuration of all the life.
So please, if you finally discover anything, please let us know as we are completely lost with this situation. I promise you to reach a beer where you are.
Of course, if I do so, I will pass the info too.
Here the hardware involved to provide you with some more info:
Fortigate 100F
Fortiswitches 424E-FPOE, 448E-FPOE, and 448E.
FortiAP 231F.
Stay safe.
--CV
Do you notice a high CPU on the Fortiswitch itself?
I have been told before to try to disable the following on the switch to reduce the controls on the port:
config switch-controller network-monitor-settings
set network-monitoring disable
end
config switch-controller lldp-settings
set device-detection disable
end
config switch-controller storm-control
set unknown-unicast disable
set unknown-multicast disable
set broadcast disable
end
config switch-controller system
set iot-weight-threshold 0
end
Hello Donnie,
I have the same problem with my fortigate -> fortiswitch -> fortiAP.
On port goes to ap STP periodically changes state, port goes down and ap reboots.
Do you find the solution?
Hi Donnie,
I have the same situation between a FortiSwitch and an Alcatel-Lucent switch. Every second I have these logs:
The clients connected to the Alcatel switch cyclically lose packets towards the resources connected to the FortiSwitches.
In the first configuration the FortiSwitch and the Alcatel were connected with a LACP and I thought it was a STP problem, but now there is only one cable connected and the root bridge is FortiSwitch, there are no loops.
I have opened a support ticket, we will do a remote session.
ac
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1570 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.