Hello,
I have a Fortigate 401F that I currently have access to via the mgmt interface. This interface is connected to one of my core switches (catalyst 9300) via cat6 and I can reach it at 10.Y.X.115/25. The Fortigate and my switches are all in the same subnet 10.Y.X.0/25
I can ping the Fortigate from every switch in my network, so I know that all the switches can reach the fortigate.
My question comes into play because I am attempting to use the x3 interface (with an SFP transceiver from Fortinet) to connect to one of my switches (for example, SW-30). I have fiber run from SW-30 to the MDF in my primary server room, and when I plug in my NetScout, the interface on SW-30 comes up.
When I insert the fiber into x3 on the Fortigate, the interface on SW-30 goes down, and x3 continues to stay down.
At first I thought this was because x3 does not have an IP assigned to it, but when I attempt to put it on 10.Y.X.31 /25 it says I can have it on the same subnet as mgmt.
I will admit I am new to Fortigate products (and firewall configuration as a whole) but I am wondering what I am missing, and I'm not sure why x3 is not coming up.
Any suggestions would be appreciated.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1G with 10G cannot bring your link up unless you set it to auto or 1G.
You can change X interface speed on FG via CLI. Or better, you can use 1G port, since 10G port is expensive so it is a waste to use it for 1G.
Regarding IP conflict, check if your management port is "dedicated to management". You should find this on GUI or on CLI.
Hello
Hope it helps
On the Catalyst side we have a GLC-SX-MMD 1000BaseSX SFP
on the Fortigate side we have a FN-TRAN-SFP+SR
the catalyst interface:
Speed: 1000
Duplex: full
x3 on the Fortigate:
Port Speed: 10Gbps full duplex
optical cable is multi mode
I do not see a place in the GUI on the Fortigate where I can set x3 to auto negotiate.
Per Cisco documentation: "Negotiation —Usually built-in Gigabit Ethernet ports are capable of negotiation, but in cases like modular SFP or GBIC types, they do not negotiate. Line protocol can be down for a Gigabit Ethernet port when connected to a Fast Ethernet port."
Looking at this, should I attempt to force the Fortigate to drop down to 1Gbps full to match the Cisco side?
1G with 10G cannot bring your link up unless you set it to auto or 1G.
You can change X interface speed on FG via CLI. Or better, you can use 1G port, since 10G port is expensive so it is a waste to use it for 1G.
Regarding IP conflict, check if your management port is "dedicated to management". You should find this on GUI or on CLI.
I will look into swapping out the 10Gbps module and try that out. If that doesn't work, I'll dive into the CLI on the Fortigate.
The management port on the Fortigate does have Dedicated Management Port selected. (the slider is green) the trusted Host is 0.0.0.0/0, but I'm pretty sure that just means I can manage the firewall from any device.
Regarding address, there are few possible ways to resolve the problem. Here are some (in decreasing order of preference):
I swapped the SFP tranciever module from x3 and placed it into port 17 and both interfaces (port 17 on the Fortigate and the catalyst interface) came up.
This looks like it has solved the immediate issue. Thank you for your assistance!
Hi @viperpilot ,
What is the configuration n the Fortigate port ?
Are you using a compatible transceiver ?
Try to set the speed and duplex manually on both sides.
The configuration on x3 is currently default. When I attempted to set an IP(10.Y.X.31 /25) I was given the error message of "Conflicts with mgmt subnet"
All of my network devices live on the 10.Y.X.0 /25 network, so I was under the impression that address the MGMT interface on that subnet so I can manage it like my other network devices. If this is wrong, please let me know.
I'm wondering if the port on the Catalyst switch is "Blocking" state. Check the STP states at the switch like "show spanning-tree" or something like that. We haven't used any Catalyst for long time so I don't remember the command line any more.
If so, you have a spanning-tree loop.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.