FortiSwitch: Spanning Tree Issue - Port disabled

Donnie_Brasco · ‎12-05-2022

Hi

I have a problem with spanning tree and ports being disabled. I don't know what to do and it is annoying me at times and prevents me from working. Maybe someone has an idea for further debugging.

My client (macOS) is directly connected to a FortiSwitch (124E), which in turn is directly connected to my 40F (trunk). There are some VLAN configured. Occasionally, the port (port20) my client is on gets disabled every few seconds and I lose connectivity.

FortiOS is on 7.0.8 and FortiSwitch 7.0.5. The network setup is very simple.

            +-----------+              +-----------+              +---------+
            |           +--------------+           |              |         |
WAN +-------+    40F    |    TRUNK     |   124E    +--------------+   MAC   |
            |           +--------------+           |              |         |
            +-----------+              +-----------+              +---------+

The error messages are as follows:

primary switch port port20 has gone down
primary port port20 instance 0 changed role from designated to disabled
primary port port20 instance 0 changed state from forwarding to discarding
primary switch port port20 has come up
primary port port20 instance 0 changed role from disabled to designated

What I have tried so far:

Various FortiSwitch port settings (STP, BPDU Guard, Root & Loop Guard, disable, etc.).
Disabling the trunk to the FortiGate (connectivity only via one link).
set the speed settings to "1Gbits only" or "auto
disable the WLAN interface (Ethernet only) on the client
various reboots
firmware upgrades (FTG and switch)

The error also occurred with other firmware. On the client there is a desktop hypervisor (Fusion) and one VM in bridge mode, but it is disabled. I am not sure if this could have an impact but it does not fit together in time

Any ideas for further debugging?

Thanks in advance.

Albert_Llena · ‎05-10-2023

Hello All,

I just recently migrate a factory and we are seeing the same issue, it is hard affecting production. It would be great if there are news about this issue. Thanks in advance

ac1 · ‎05-10-2023

Hi Albert,
I did the remote session with Fortinet support. The problem appears to be an incompatibility between RSTP and MSTP. The FortiSwitches only support MSTP which is backwards compatible with RSTP, but apparently it's not talking properly with RSTP (in my case these are Alcatel-Lucent switches).
So MSTP goes through all spanning-tree phases cyclically, that's why I see logs of STP status continuously.
To resolve it, MSTP must also be configured on the switches in cascade to FortiSwitch.

Albert_Llena · ‎05-11-2023

Thanks ac1,

In this project there are also Alcatel-Lucent switches so I think you gave me the solution. I will work in this direction.

Thanks again,

distillednetwork · ‎05-11-2023

You can also try disabling STP on the uplink from the alcatel to the fortiswitch by running:

bridge 1x1 ## #/# disable

replace ## with vlan ID

replate #/# with uplink port

You will need to do this with all vlans on the uplink port. Dont really need STP on the uplink port

ac1 · ‎05-11-2023

Hi distillednetwork,

yes, but the problem would not be solved. Furthermore, the management of the Root-Bridge would not be correct.
In large infrastructures it is not feasible.

jokes54321 · ‎06-05-2023

Were you able to resolve this? I don't have Alcatel-Lucent switches, I have a full FortiStack, with one Cisco 2960.

HA Pair of 200F

2 x 1048E setup with an MC-Lag ICL between them

7 x 548D, each wired to both 1048E

1 x 108E hanging off a single port of a 548D

What caused us to notice the issue is the uplink to the newly added 108E keeps going into a blocking status, with log entries very similar to the ones posted by the OP. While researching this, I noticed uplinks between the 1048E and 548D are going into blocking too, but with everything redundantly cabled, the users aren't feeling the impact.

We do have one Cisco 2960s hanging off a single port of the 1048E, perhaps this Cisco is injecting some weirdness into MSTP?

RafaelAlmonteTIC · ‎03-20-2024

Greetings,

I would like to know if you were able to solve this problem, because we are experiencing the same thing in the institution where I work.

jokes54321 · ‎03-21-2024

One of my network admins tracked it down in our environment. As I recall, a switch in a Dell VRTX had a lower STP priority than the FortiSwitches and kept taking the root role. Once he increased the STP priority on the VRTX switch, the problem went away.

Genobaseball10 · ‎03-21-2024

Hi Donnie! This may not be a spanning tree issue. Spanning tree may be reacting to the port just going down. Lets experiment with different cables, different hosts but keeping the same switch and if possible, using the same port and see if our results change.

CCNA | FCP | CWNA

Donnie_Brasco · ‎03-22-2024

Sorry ignoring your requests @t-dalt13 , @ac1 , @RafaelAlmonteTIC. Maybe the approach of @jokes54321 will help?

In the meantime I bought a new FortiGate and also made several upgrades (Switches & FortiOS). Fortunately, the problem has disappeared in the meantime, although the cabling is still the same. Unfortunately, I don't know exactly what the cause was.

@Genobaseball10 Cables were replaced and the problem existed only with a single host.