Hello together,
I'm trying to get my Fortigates registered via LLDP in my Switches.
This works perfectly on two FGT-50E, currently on 5.4.1.
It does not work on 3x FGT-90D and on one 110C. These are all on 5.4.somewhat firmware.
What I did:
edit "internal14"
set vdom "root"
set type physical
set device-identification enable
set lldp-transmission enable
next
and:
config system global
set lldp-transmission enable
end
Then:
diag lldpx restart
We use HP ProCurve switches.
Any idea?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Good news:
"This issue got resolved in code, a fix will be provided in he upcoming FortiOS releases end of Q2. FortiOS version 5.4.5 is scheduled for around end of May 2017, 5.6.1 for around end of June. Please note that these estimated release dates are still subject to change. As soon as the release dates are fixed we'll update this ticket. "
hmmm......
How did you capture if you using tcpreplay? Did you connect directly to the interface and run capture?
Are the HP enable for LLDP on the correct ports?
HP-switches are the same?
Can you change the HP out to a spare switch ( cisco ) ?
Can you cable 2 ports back to back and run the fortigates interfaces in vdom (a) and (b) and see if the forties recognize the LLDP neighborships?
And did you try kicking it in the pants and restart LLDPTX
e.g
diag lldptx restart
diag lldptx stats count
And I forgot to add did you run diag debug ?
e.g
diag debug application lldptx -1
diag debug en
if the interface(s) are enabled for lldl, you should get message on the cli terminal for ever time the schedule timer kicks off
ken
PCNSE
NSE
StrongSwan
I'll tell you, whtat exactly I did:
First of all, I'm a bit familliar with lldp, I was involved in the development of this:
[link]https://github.com/Prinzessor/WinLLDPService[/link]
I've two lab FGTs 50E and 90D here on my desk and a Procurve 5406.
Both FGTs are "sending" LLDP packets (proved with diag sniffer packet interface "not ip" 6).
The 50E is shown in the switch, the 90D not.
I connect the 50E not to the switch, but to my notebook running wireshark. I could capture LLDP packets.
I could send some on my notebook, and also see them in the FGTs sniffer.
Now I connect the 90D to my notebook. The FGTs sniffer shows, that packets are sent, but Wireshark does'nt see them, also NIC LED is not blinking. When I send packets with my Notebook, they show up in the FGT90s sniffer.
Now I used fortinets fgt2eth perl script to convert the FGT90s sniffer output (the lldp packets) to tcpdump/wireshark file, to analyse them in wireshark. They looked good. So I sent the pcap file from my notebook with tcpreplay to my switch, and it registered correctly.
Am I missing somewhat?
Simple
1:did you tried restarting the LLDPTX
2: Run you run the suggest diag debug app lldptx -1
3: are you in multt-vdom mode?
4: how do you have the FGT90 running with regards to set lldp-transmission enable global vdom
5: Have you tried rebooting the FGT90D?
6: have you tried a different port?
7: are these ports in a AggreEthernet ? ( 5.4.x does not let you set AE up with lldp transmit enable )
PCNSE
NSE
StrongSwan
1:did you tried restarting the LLDPTX
Shure.
2: Run you run the suggest diag debug app lldptx -1
Shure, messages show up.
3: are you in multt-vdom mode?
No, factory reset testing device. Only enabled some interfaces, global lldp transmission and transmission per interface.
4: how do you have the FGT90 running with regards to set lldp-transmission enable global vdom
No vdoms...
5: Have you tried rebooting the FGT90D?
More than shure.
6: have you tried a different port?
Shure
7: are these ports in a AggreEthernet ? ( 5.4.x does not let you set AE up with lldp transmit enable )
No, I know this kb.
We have some 90D lldp works on none of them, we have a bunch of 50E, lldp works perfectly on all of them.
I'm fighting this for about nearly 2 weeks now, did a lot of lab testing, I can't get a single lldp packet out of a 90D.
I also have a brand new 100D, still in its packaging ... I'll try it with this on monday ....
Do you really have 90Ds with working lldp? Which firmware? What kind of switches?
Yes, 1 FGT and one FWF model.
5.2.10
5.4.2
nexus3548 NXOS 6.0.2
And it sends the correct hostname in the lldp advertisement which was always a problematic issues in the past ;) I will upgrade the unit running 5.2.10 , to 5.4.4 maybe this weekend and post any changes
Ken
PCNSE
NSE
StrongSwan
With some older devices, 80C if I remember correctly on 5.0 or 5.2.somewhat we had also problems, because they pushed the serialnumber instead of hostname.
I will try to downgrade my test 90D to 5.4.2 on monday. I tested with 5.4.3 and 5.4.4 only.
Did you check the WAN1 and WAN2 ports for LLDP packets also or just the internal switch ports (1-14)? Maybe it's some Fortigate-switch hardware limitation or bug?
On a different model (FG-92d) we had an issue where it was not possible to use port1-14 for ha-sync. We had to use wan1 and wan2. HA heartbeats were not coming out, but visible in the FortiOS packet sniffer - just like in your case.
I tried only with the internal separated switch ports. Will report back on monday.
@localhost: I can confirm, it does work on WAN ports
@emnoc: It does not work with 5.4.2 on internal ports
EDIT:
The 100D is working on all interfaces with 5.4.4
Hello all,
just for your information:
It's a bug, that was allready identified on FGT70D.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1593 | |
1045 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.