Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Donnie_Brasco
New Contributor

Created on ‎12-05-2022 01:36 AM

FortiSwitch: Spanning Tree Issue - Port disabled

Hi

 

I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.

 

My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.

 

FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.

 

            +-----------+              +-----------+              +---------+
            |           +--------------+           |              |         |
WAN +-------+    40F    |    TRUNK     |   124E    +--------------+   MAC   |
            |           +--------------+           |              |         |
            +-----------+              +-----------+              +---------+

 

 The error messages are as follows:

 

primary switch port port20 has gone down
primary port port20 instance 0 changed role from designated to disabled
primary port port20 instance 0 changed state from forwarding to discarding
primary switch port port20 has come up
primary port port20 instance 0 changed role from disabled to designated

 

2022-12-05_09-12-42.png 

What I have tried so far:

 

  • Various FortiSwitch port settings (STP, BPDU Guard, Root & Loop Guard, disable, etc.).
  • Disabling the trunk to the FortiGate (connectivity only via one link).
  • set the speed settings to "1Gbits only" or "auto
  • disable the WLAN interface (Ethernet only) on the client
  • various reboots
  • firmware upgrades (FTG and switch)

 

The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time

 

Any ideas for further debugging?

 

Thanks in advance.

Labels:
31112
0 Kudos
20 REPLIES 20
Albert_Llena
New Contributor
In response to ac1

Created on ‎05-10-2023 12:09 AM

Hello All, 

 

I just recently migrate a factory and we are seeing the same issue, it is hard affecting production. It would be great if there are news about this issue. Thanks in advance

8081
0 Kudos
ac1
Contributor II
In response to Albert_Llena

Created on ‎05-10-2023 09:44 AM

Hi Albert,
I did the remote session with Fortinet support. The problem appears to be an incompatibility between RSTP and MSTP. The FortiSwitches only support MSTP which is backwards compatible with RSTP, but apparently it's not talking properly with RSTP (in my case these are Alcatel-Lucent switches).
So MSTP goes through all spanning-tree phases cyclically, that's why I see logs of STP status continuously.
To resolve it, MSTP must also be configured on the switches in cascade to FortiSwitch.

 

8065
Albert_Llena
New Contributor
In response to ac1

Created on ‎05-11-2023 01:42 AM

Thanks ac1,

 

In this project there are also Alcatel-Lucent switches so I think you gave me the solution. I will work in this direction.

 

Thanks again,

8050
distillednetwork
Contributor III
In response to Albert_Llena

Created on ‎05-11-2023 06:19 AM

You can also try disabling STP on the uplink from the alcatel to the fortiswitch by running:

bridge 1x1 ## #/# disable

replace ## with vlan ID

replate #/# with uplink port

 

You will need to do this with all vlans on the uplink port.  Dont really need STP on the uplink port

8037
ac1
Contributor II
In response to distillednetwork

Created on ‎05-11-2023 06:25 AM

Hi distillednetwork,

yes, but the problem would not be solved. Furthermore, the management of the Root-Bridge would not be correct.
In large infrastructures it is not feasible.

8034
0 Kudos
jokes54321
New Contributor III
In response to Albert_Llena

Created on ‎06-05-2023 06:53 PM

Were you able to resolve this? I don't have Alcatel-Lucent switches, I have a full FortiStack, with one Cisco 2960.

 

HA Pair of 200F

2 x 1048E setup with an MC-Lag ICL between them

7 x 548D, each wired to both 1048E

1 x 108E hanging off a single port of a 548D

 

What caused us to notice the issue is the uplink to the newly added 108E keeps going into a blocking status, with log entries very similar to the ones posted by the OP. While researching this, I noticed uplinks between the 1048E and 548D are going into blocking too, but with everything redundantly cabled, the users aren't feeling the impact.

 

We do have one Cisco 2960s hanging off a single port of the 1048E, perhaps this Cisco is injecting some weirdness into MSTP?

 

7843
0 Kudos
RafaelAlmonteTIC
New Contributor

Created on ‎03-20-2024 09:47 AM

Greetings,

I would like to know if you were able to solve this problem, because we are experiencing the same thing in the institution where I work.

4768
0 Kudos
jokes54321
New Contributor III
In response to RafaelAlmonteTIC

Created on ‎03-21-2024 01:27 PM

One of my network admins tracked it down in our environment.  As I recall, a switch in a Dell VRTX had a lower STP priority than the FortiSwitches and kept taking the root role. Once he increased the STP priority on the VRTX switch, the problem went away. 

4727
0 Kudos
Genobaseball10
New Contributor III

Created on ‎03-21-2024 03:32 PM

Hi Donnie! This may not be a spanning tree issue. Spanning tree may be reacting to the port just going down. Lets experiment with different cables, different hosts but keeping the same switch and if possible, using the same port and see if our results change.

CCNA | FCP | CWNA
CCNA | FCP | CWNA
4722
Donnie_Brasco
New Contributor

Created on ‎03-22-2024 01:40 AM

Sorry ignoring your requests @t-dalt13 , @ac1 , @RafaelAlmonteTIC. Maybe the approach of @jokes54321 will help?

 

In the meantime I bought a new FortiGate and also made several upgrades (Switches & FortiOS). Fortunately, the problem has disappeared in the meantime, although the cabling is still the same. Unfortunately, I don't know exactly what the cause was.

 

@Genobaseball10 Cables were replaced and the problem existed only with a single host.

4699
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.