LLDP

MasterBratac · ‎02-15-2017

Hello together,

I'm trying to get my Fortigates registered via LLDP in my Switches.

This works perfectly on two FGT-50E, currently on 5.4.1.

It does not work on 3x FGT-90D and on one 110C. These are all on 5.4.somewhat firmware.

What I did:

    edit "internal14"
        set vdom "root"
        set type physical
        set device-identification enable
        set lldp-transmission enable
    next

and:

config system global
    set lldp-transmission enable
end

Then:

diag lldpx restart

We use HP ProCurve switches.

Any idea?

MasterBratac · ‎04-24-2017

Good news:

"This issue got resolved in code, a fix will be provided in he upcoming FortiOS releases end of Q2. FortiOS version 5.4.5 is scheduled for around end of May 2017, 5.6.1 for around end of June. Please note that these estimated release dates are still subject to change. As soon as the release dates are fixed we'll update this ticket. "

View solution in original post

emnoc · ‎02-17-2017

hmmm......

How did you capture if you using tcpreplay? Did you connect directly to the interface and run capture?

Are the HP enable for LLDP on the correct ports?

HP-switches are the same?

Can you change the HP out to a spare switch ( cisco ) ?

Can you cable 2 ports back to back and run the fortigates interfaces in vdom (a) and (b) and see if the forties recognize the LLDP neighborships?

And did you try kicking it in the pants and restart LLDPTX

e.g

diag lldptx restart

diag lldptx stats count

And I forgot to add did you run diag debug ?

e.g

diag debug application lldptx -1

diag debug en

if the interface(s) are enabled for lldl, you should get message on the cli terminal for ever time the schedule timer kicks off

ken

PCNSE

NSE

StrongSwan

MasterBratac · ‎02-17-2017

I'll tell you, whtat exactly I did:

First of all, I'm a bit familliar with lldp, I was involved in the development of this:

[link]https://github.com/Prinzessor/WinLLDPService[/link]

I've two lab FGTs 50E and 90D here on my desk and a Procurve 5406.

Both FGTs are "sending" LLDP packets (proved with diag sniffer packet interface "not ip" 6).

The 50E is shown in the switch, the 90D not.

I connect the 50E not to the switch, but to my notebook running wireshark. I could capture LLDP packets.

I could send some on my notebook, and also see them in the FGTs sniffer.

Now I connect the 90D to my notebook. The FGTs sniffer shows, that packets are sent, but Wireshark does'nt see them, also NIC LED is not blinking. When I send packets with my Notebook, they show up in the FGT90s sniffer.

Now I used fortinets fgt2eth perl script to convert the FGT90s sniffer output (the lldp packets) to tcpdump/wireshark file, to analyse them in wireshark. They looked good. So I sent the pcap file from my notebook with tcpreplay to my switch, and it registered correctly.

Am I missing somewhat?

emnoc · ‎02-17-2017

Simple

1:did you tried restarting the LLDPTX

2: Run you run the suggest diag debug app lldptx -1

3: are you in multt-vdom mode?

4: how do you have the FGT90 running with regards to set lldp-transmission enable global vdom

5: Have you tried rebooting the FGT90D?

6: have you tried a different port?

7: are these ports in a AggreEthernet ? ( 5.4.x does not let you set AE up with lldp transmit enable )

PCNSE

NSE

StrongSwan

MasterBratac · ‎02-17-2017

1:did you tried restarting the LLDPTX

Shure.

2: Run you run the suggest diag debug app lldptx -1

Shure, messages show up.

3: are you in multt-vdom mode?

No, factory reset testing device. Only enabled some interfaces, global lldp transmission and transmission per interface.

4: how do you have the FGT90 running with regards to set lldp-transmission enable global vdom

No vdoms...

5: Have you tried rebooting the FGT90D?

More than shure.

6: have you tried a different port?

Shure

7: are these ports in a AggreEthernet ? ( 5.4.x does not let you set AE up with lldp transmit enable )

No, I know this kb.

We have some 90D lldp works on none of them, we have a bunch of 50E, lldp works perfectly on all of them.

I'm fighting this for about nearly 2 weeks now, did a lot of lab testing, I can't get a single lldp packet out of a 90D.

I also have a brand new 100D, still in its packaging ... I'll try it with this on monday ....

Do you really have 90Ds with working lldp? Which firmware? What kind of switches?

emnoc · ‎02-17-2017

Yes, 1 FGT and one FWF model.

5.2.10

5.4.2

nexus3548 NXOS 6.0.2

And it sends the correct hostname in the lldp advertisement which was always a problematic issues in the past ;) I will upgrade the unit running 5.2.10 , to 5.4.4 maybe this weekend and post any changes

Ken

PCNSE

NSE

StrongSwan

MasterBratac · ‎02-18-2017

With some older devices, 80C if I remember correctly on 5.0 or 5.2.somewhat we had also problems, because they pushed the serialnumber instead of hostname.

I will try to downgrade my test 90D to 5.4.2 on monday. I tested with 5.4.3 and 5.4.4 only.

localhost · ‎02-18-2017

Did you check the WAN1 and WAN2 ports for LLDP packets also or just the internal switch ports (1-14)? Maybe it's some Fortigate-switch hardware limitation or bug?

On a different model (FG-92d) we had an issue where it was not possible to use port1-14 for ha-sync. We had to use wan1 and wan2. HA heartbeats were not coming out, but visible in the FortiOS packet sniffer - just like in your case.

MasterBratac · ‎02-18-2017

I tried only with the internal separated switch ports. Will report back on monday.

MasterBratac · ‎02-20-2017

@localhost: I can confirm, it does work on WAN ports

@emnoc: It does not work with 5.4.2 on internal ports

EDIT:

The 100D is working on all interfaces with 5.4.4

MasterBratac · ‎03-06-2017

Hello all,

just for your information:

It's a bug, that was allready identified on FGT70D.