Hello together,
I'm trying to get my Fortigates registered via LLDP in my Switches.
This works perfectly on two FGT-50E, currently on 5.4.1.
It does not work on 3x FGT-90D and on one 110C. These are all on 5.4.somewhat firmware.
What I did:
edit "internal14"
set vdom "root"
set type physical
set device-identification enable
set lldp-transmission enable
next
and:
config system global
set lldp-transmission enable
end
Then:
diag lldpx restart
We use HP ProCurve switches.
Any idea?
Solved! Go to Solution.
Good news:
"This issue got resolved in code, a fix will be provided in he upcoming FortiOS releases end of Q2. FortiOS version 5.4.5 is scheduled for around end of May 2017, 5.6.1 for around end of June. Please note that these estimated release dates are still subject to change. As soon as the release dates are fixed we'll update this ticket. "
Silly question but figured I would start from the very top. Did we confirm that it is configured exactly as it is on the 50E's? Also, are you using the same type of switch at all locations?
Mike Pruett
I have a new 50E and a new 90D right here on my desk ;-).
Both 5.4.4, both factoryreset.
Both doing the above config changes, nothing else.
50E working, 90D not. Both on the same switch (HP Procurve 5406).
Mike Pruett
I think I'll open a support ticket ...
b4 you do that did you diagnostic sniffer packet on the interface(s) and ensure that LLDP is or not being sent
e.g
diag sniffer packet <interface_name> "not ip"
FWIW, we have FGT90D that are working correct on 5.4.x
PCNSE
NSE
StrongSwan
You are pointing me into the right direction I think.
The 90D is sending packets.
50E Packet:
29.967064 lan1 -- lldp 157 chassis 4 08:5b:0e:ea:69:57 port 1 'LAN Avaya' ttl 120 system 'FGT50E-WWW-AVAYA'
0x0000 0180 c200 000e 085b 0eea 6957 88cc 0207 .......[..iW....
0x0010 0408 5b0e ea69 5704 0a01 4c41 4e20 4176 ..[..iW...LAN.Av
0x0020 6179 6106 0200 780a 1046 4754 3530 452d aya...x..FGT50E-
0x0030 5757 572d 4156 4159 410c 2a46 6f72 7469 WWW-AVAYA.*Forti
0x0040 4761 7465 2d35 3045 2076 352e 342e 342c Gate-50E.v5.4.4,
0x0050 6275 696c 6431 3131 372c 3137 3032 3039 build1117,170209
0x0060 2028 4741 290e 0400 1400 1010 0c05 01c0 .(GA)...........
0x0070 a82a 0202 0000 0006 00fe 0900 120f 0300 .*..............
0x0080 0000 0006 fe09 0080 c207 0000 0000 06fe ................
0x0090 1808 090f 02b6 f8ee 5660 8361 e98c 8c3c ........V`.a...<
0x00a0 62f9 3913 7570 e7ee 5a00 00 b.9.up..Z..
90D packet:
29.760512 internal14 -- lldp 147 chassis 4 90:6c:ac:88:fa:19 port 5 'internal14' ttl 120 system 'Test1'
0x0000 0180 c200 000e 906c ac88 fa19 88cc 0207 .......l........
0x0010 0490 6cac 88fa 1904 0b05 696e 7465 726e ..l.......intern
0x0020 616c 3134 0602 0078 0a05 5465 7374 310c al14...x..Test1.
0x0030 2a46 6f72 7469 4761 7465 2d39 3044 2076 *FortiGate-90D.v
0x0040 352e 342e 342c 6275 696c 6431 3131 372c 5.4.4,build1117,
0x0050 3137 3032 3039 2028 4741 290e 0400 1400 170209.(GA).....
0x0060 1010 0c05 0182 32c7 c702 0000 0012 00fe ......2.........
0x0070 0900 120f 0300 0000 0012 fe09 0080 c207 ................
0x0080 0000 0000 12fe 1808 090f 0243 4a6f d7e1 ...........CJo..
0x0090 02e0 6401 00b0 e17a b993 f5f8 6660 d100 ..d....z....f`..
0x00a0 00
Perhaps it is a switch related problem. I'll try with an other switch and/or firmware of the switch.
Do you use HP switches?
Or run it on a another interface-port and use wireshark/tshark/windump on a machine and see if the LLDP are being received if they are, than if you do see LLDP packets on the interval-advertisement than you just rule that it is the hp-switch
Ken
PCNSE
NSE
StrongSwan
I think it's definitly a fortinet problem.
The LLDP packets send by the fortigate, which show up in the fortinet sniffer are not coming out of the interface.
I can't fetch them with wireshark.
The other way is ok. If I'm generating LLDP packets and send them to the fortigate, they show up in the forti sniffer.
Btw, If I use tcpreplay to send the 90D packet to the switch, it shows up in the switchs lldp table.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.