Hi
I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.
My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.
FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.
            +-----------+              +-----------+              +---------+
            |           +--------------+           |              |         |
WAN +-------+    40F    |    TRUNK     |   124E    +--------------+   MAC   |
            |           +--------------+           |              |         |
            +-----------+              +-----------+              +---------+
The error messages are as follows:
primary switch port port20 has gone down
primary port port20 instance 0 changed role from designated to disabled
primary port port20 instance 0 changed state from forwarding to discarding
primary switch port port20 has come up
primary port port20 instance 0 changed role from disabled to designated
 
What I have tried so far:
The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time
Any ideas for further debugging?
Thanks in advance.
Hello All,
I just recently migrate a factory and we are seeing the same issue, it is hard affecting production. It would be great if there are news about this issue. Thanks in advance
Hi Albert,
I did the remote session with Fortinet support. The problem appears to be an incompatibility between RSTP and MSTP. The FortiSwitches only support MSTP which is backwards compatible with RSTP, but apparently it's not talking properly with RSTP (in my case these are Alcatel-Lucent switches).
So MSTP goes through all spanning-tree phases cyclically, that's why I see logs of STP status continuously.
To resolve it, MSTP must also be configured on the switches in cascade to FortiSwitch.
Thanks ac1,
In this project there are also Alcatel-Lucent switches so I think you gave me the solution. I will work in this direction.
Thanks again,
You can also try disabling STP on the uplink from the alcatel to the fortiswitch by running:
bridge 1x1 ## #/# disable
replace ## with vlan ID
replate #/# with uplink port
You will need to do this with all vlans on the uplink port. Dont really need STP on the uplink port
Hi distillednetwork,
yes, but the problem would not be solved. Furthermore, the management of the Root-Bridge would not be correct.
In large infrastructures it is not feasible.
Were you able to resolve this? I don't have Alcatel-Lucent switches, I have a full FortiStack, with one Cisco 2960.
HA Pair of 200F
2 x 1048E setup with an MC-Lag ICL between them
7 x 548D, each wired to both 1048E
1 x 108E hanging off a single port of a 548D
What caused us to notice the issue is the uplink to the newly added 108E keeps going into a blocking status, with log entries very similar to the ones posted by the OP. While researching this, I noticed uplinks between the 1048E and 548D are going into blocking too, but with everything redundantly cabled, the users aren't feeling the impact.
We do have one Cisco 2960s hanging off a single port of the 1048E, perhaps this Cisco is injecting some weirdness into MSTP?
Greetings,
I would like to know if you were able to solve this problem, because we are experiencing the same thing in the institution where I work.
One of my network admins tracked it down in our environment. As I recall, a switch in a Dell VRTX had a lower STP priority than the FortiSwitches and kept taking the root role. Once he increased the STP priority on the VRTX switch, the problem went away.
Hi Donnie! This may not be a spanning tree issue. Spanning tree may be reacting to the port just going down. Lets experiment with different cables, different hosts but keeping the same switch and if possible, using the same port and see if our results change.
Sorry ignoring your requests @t-dalt13 , @ac1 , @RafaelAlmonteTIC. Maybe the approach of @jokes54321 will help?
In the meantime I bought a new FortiGate and also made several upgrades (Switches & FortiOS). Fortunately, the problem has disappeared in the meantime, although the cabling is still the same. Unfortunately, I don't know exactly what the cause was.
@Genobaseball10 Cables were replaced and the problem existed only with a single host.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2652 | |
| 1407 | |
| 810 | |
| 697 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.