Fortinet Community

Donnie_Brasco · ‎12-05-2022

Hi

I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.

My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.

FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.

            +-----------+              +-----------+              +---------+
            |           +--------------+           |              |         |
WAN +-------+    40F    |    TRUNK     |   124E    +--------------+   MAC   |
            |           +--------------+           |              |         |
            +-----------+              +-----------+              +---------+

The error messages are as follows:

primary switch port port20 has gone down
primary port port20 instance 0 changed role from designated to disabled
primary port port20 instance 0 changed state from forwarding to discarding
primary switch port port20 has come up
primary port port20 instance 0 changed role from disabled to designated

What I have tried so far:

Various FortiSwitch port settings (STP, BPDU Guard, Root & Loop Guard, disable, etc.).
Disabling the trunk to the FortiGate (connectivity only via one link).
set the speed settings to "1Gbits only" or "auto
disable the WLAN interface (Ethernet only) on the client
various reboots
firmware upgrades (FTG and switch)

The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time

Any ideas for further debugging?

Thanks in advance.

distillednetwork · ‎12-05-2022

I don't think the spanning tree messages are anything more than the normal changes to STP state when the port goes down and up. How do you recover, do you enable the port again from the software or unplug it?

The only other item I could think of is if you have not tested it, disable Edge Port on port20. If the port is going up and down constantly or numerous times in a minute, you may also want to test the physical cables to verify they are good.

Donnie_Brasco · ‎12-05-2022

Thank you, distillednetwork. I should have mentioned that I also changed the physical ports on the switch and the cable already. The port is usually back online after a couple of seconds by itself. Sometimes only to be switched off again directly...

I'm not sure if I had already disabled Edge Port, but felt that I had already tried every setting imaginable. I have now disabled all features once and observe what happens.

Donnie_Brasco · ‎12-08-2022

The logs still show up and the port gets disabled. Absolutely no security features (STP) are active on the port at the moment.

Any ideas?

sachitdas_FTNT · ‎01-03-2023

Hi,

From what I understand is the issue specific to Macbook? Do other devices like windows laptops also witness the same problem?

Regards,
Sachit Das
ETAC Engineer
Wifi-Switching – International Support

Donnie_Brasco · ‎01-03-2023

Hi Sachit

Thanks for your reply.

It almost looks like that's a common factor. The problem occurs on my Macmini (personal) as well as on my Macbook Pro (business). However, I don't have any other desktop PCs that I use (except a virtualized Windows desktop, which I start only every few weeks). Everything else are servers (Linux).

I had already switched off WiFi on the devices, as I suspected a roaming problem. All without success.

Do you know of any other such problems with macOS?

Best,

Donnie

Meseguer24 · ‎02-17-2023

Hi Donnie,

We are experiencing the same issue. However, it is happening with our FortiAPs, and any other kinds of devices we plug into the switches. The infrastructure is quite bigger than yours, but the problem is the same. It seems to be random. Sometimes Port2, or 5, 8, whatever, goes down then up, then down, up, etc, with the critical fact that when this happens on a port where an AP is, it makes the AP goes down and you can imagine the problem, as we have to wait for 5-6 mins to get the WiFi service back.

The same, we have disable, enable, combined, prayed, anything you can imagine to try identify what is the root of the problem. Even if it is a Bug, we have trying to catch what we have to disable/enable to get it fixed, at least until Fortinet decides to make it work properly.

We still receive messages on the Switch logs pointing a STP issue despite it has been completely disable (at least that's what it shows, even though it could or definetly is still running behind scenes).

Our infrastructure is big but simple. Actually, we don't need at all the STP protocol as we only have one possible path to each network, and so it is impossible to have a loop risk or whatsoever. At this desperate/frustration stage, if we could erradicate/purge the entire trace of the STP protocol from the Fortigate, we would do it.

Finally, it is good to mention we are on the Top of the current OS versions (7.2.4 on the Fw, 7.2.3 on the Switches, and 7.2.3 if I remember well, on the FortiAPs). Today, there is no possible newer version to upgrade any device in the infrastructure.

We used to love Fortinet and have several buildings with it, but this last building, we bet all on them, Firewall, Switches, APs, Full Licenses, etc, and all the project has been just a terrible mess. Before, we used to combine some brands, Fortinet at the top of the network with the Firewall, then HP Aruba switches, and finally, Ubiquiti/Huawei/Cisco APs... More complex to manage, of course, but Smooooooth. Nothing to do with this mess... It is a shame, we have open a case directly with Fortinet, requested support from one of our sellers/providers, do everything you can imagine, and still strugling with this since 3-4 months ago. We are about to return or drop 26 Fortiswitches and go back to the Arubas and the normal and ordinary VLAN/Trunking/Tag configuration of all the life.

So please, if you finally discover anything, please let us know as we are completely lost with this situation. I promise you to reach a beer where you are.

Of course, if I do so, I will pass the info too.

Here the hardware involved to provide you with some more info:

Fortigate 100F

Fortiswitches 424E-FPOE, 448E-FPOE, and 448E.

FortiAP 231F.

Stay safe.

--CV

distillednetwork · ‎02-24-2023

Do you notice a high CPU on the Fortiswitch itself?

I have been told before to try to disable the following on the switch to reduce the controls on the port:

config switch-controller network-monitor-settings
set network-monitoring disable
end

config switch-controller lldp-settings
set device-detection disable
end

config switch-controller storm-control
set unknown-unicast disable
set unknown-multicast disable
set broadcast disable
end

config switch-controller system
set iot-weight-threshold 0
end

t-dalt13 · ‎04-12-2023

Hello Donnie,

I have the same problem with my fortigate -> fortiswitch -> fortiAP.

On port goes to ap STP periodically changes state, port goes down and ap reboots.

Do you find the solution?

ac1 · ‎05-06-2023

Hi Donnie,

I have the same situation between a FortiSwitch and an Alcatel-Lucent switch. Every second I have these logs:

The clients connected to the Alcatel switch cyclically lose packets towards the resources connected to the FortiSwitches.
In the first configuration the FortiSwitch and the Alcatel were connected with a LACP and I thought it was a STP problem, but now there is only one cable connected and the root bridge is FortiSwitch, there are no loops.

I have opened a support ticket, we will do a remote session.

ac

Fortinet Community

FortiSwitch: Spanning Tree Issue - Port disabled