Fortiswitch Onboard via Aruba

Alan1212 · ‎09-18-2024

to IT gurus.

What must be done on the Aruba switch port in order for Fortiswitch to initiate?

As of right now, the Aruba switch serves as our lone connection to FortiGate while we work to manage a new Fortiswitch. See the following quick topology.

Fortigate connected to Aruba ( Trunk port Native Vlan1 ,)
Aruba ( Trunk port Native Vlan1 ,) connected to Fortiswitch (Port 49 trunk, Native vlan1)

Fortigate sees the Fortiswitch and Athorises it however its status : "offline", "port disconnected"

Logs from Fortigate:

Switch-Controller authorized

CAPUTP session status notification

Switch-Controller Tunnel Up

Switch-Controller Switch Sync Error - Message global-lldp-settings failed:-13

Switch-Controller Switch Sync Error - Message global-lldp-profile failed:1

Switch-Controller Switch Sync Error -Message qos.dscp-map failed:-7621

NAC MAC cache sync - NAC MAC cache cleared on switch S14xxxxxxxxx port (null)

Switch-Controller Tunnel Down - CAPWAP Tunnel Down

CAPUTP session status notification -Message S1xxxxxxxxxxx echo message timed out

Switch-Controller Switch Sync Error-Message Config download failed

Switch-Controller Switch Sync Error - Message qos.queue-policy failed:-7621

Switch-Controller Daemon Log (Critical) Message - port add failed with default-vlan=_default

Switch-Controller Daemon Log (Critical) Message - port add failed for port1

Has anyone done it before, and is there an idea for how we can onboard Fortiswitch via Aruba switch?

cheers

Sx11 · ‎09-26-2024

Hi Alan,

the command of set source-ip fixed should be run in FortiGate:

fortiGateLab (port5) # show
config system interface
edit "port5"
set vdom "root"
set fortilink enable
set switch-controller-source-ip fixed <----
set ip 10.10.250.1 255.255.255.0
set allowaccess ping fabric

In addition to that check the following guide steps:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fix-FortiSwitch-showing-with-the-Off...

Make sure NTP and Native vlan are set as per the troubleshooting guide.

sx11

View solution in original post

Sx11 · ‎09-19-2024

Hello Alan1212,

is the FortiSwitch configured as per guide for FortiLink L3 mode?

Check the following: https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801182/fortilink-mod...

sx11

Alan1212 · ‎09-19-2024

thanks, I've tried to follow the doco but Fortiswitch with 7.2 firmware do not have those commands anymore to convert Ports with L3 modes.

Sx11 · ‎09-20-2024

Hi Alan,

which commands exactly?

The doc for 7.2 Firmware: https://docs.fortinet.com/document/fortiswitch/7.2.9/fortilink-guide/801182/fortilink-mode-over-a-la...

Starting in FortiOS 7.2.1, the set fortilink-l3-mode command is deprecated. Instead, you can create a static inter-switch link (ISL) trunk and then enable or disable automatic VLAN configuration on the manually created (static) ISL trunk:

config switch trunk

edit <trunk_name>

set static-isl enable

set static-isl-auto-vlan {enable | disable}

sx11

Alan1212 · ‎09-22-2024

hi sx11

I've followed this KB, here's the command output. Despite I've set the port49 as DHCP and all vlans on upswitch aruba's trunk port is allowed the port does not get any IP or can ping the fortigate.

--------------------------------------------------

S148F (port49) # config system interface
SS148F (port49) # edit port49
S148F set switch-controller-source-ip-fixed

command parse error before 'switch-controller-source-ip-fixed'
Command fail. Return code -61

S148F # config switch-controller global

S148F (global) # set ac-discovery-type static

S148F (global) # config ac-list

S148F (ac-list) #
new entry '1' added

S148F (global) ## set ac-discovery-type dhc

S148F (global) # setu ac-dhscp-option-code 138

S148F (trunk) # edit
name Trunk name.

S148F (trunk) # edit tr1
new entry 'tr1' added

S148F9 (tr1) # set set static-isl enable

S148F (tr1) # set static-isl-auto-vlan enable

S148F (tr1) # set members port49

S148F (tr1) # next

S148F (trunk) # end

Sx11 · ‎09-26-2024

Hi Alan,

the command of set source-ip fixed should be run in FortiGate:

fortiGateLab (port5) # show
config system interface
edit "port5"
set vdom "root"
set fortilink enable
set switch-controller-source-ip fixed <----
set ip 10.10.250.1 255.255.255.0
set allowaccess ping fabric

In addition to that check the following guide steps:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fix-FortiSwitch-showing-with-the-Off...

Make sure NTP and Native vlan are set as per the troubleshooting guide.

sx11

Alan1212 · ‎09-29-2024

sx11 thank you for the hints.

The fortiswitch is showing in FortiGate under Wifi&switch Controller/Fortiswitch Cleints now. The trunk ports on Aruba and Fortisiwtch are allowed to pass all necessary vlans and the fortiswitch's ports' are manageable from "Fortiswitch Ports" on Fortigate. it will allow us to work in this area for now until we'll get a dedicated link to FortiGate.

Sx11 · ‎09-30-2024

That's good news! Happy to have helped.

Regards

sx11

Fortiswitch Onboard via Aruba

Nominate a Forum Post for Knowledge Article Creation