Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
viperpilot
New Contributor

Question about connecting devices (Catalyst Switches)

Hello,

 

I have a Fortigate 401F that I currently have access to via the mgmt interface. This interface is connected to one of my core switches (catalyst 9300) via cat6 and I can reach it at 10.Y.X.115/25. The Fortigate and my switches are all in the same subnet 10.Y.X.0/25

I can ping the Fortigate from every switch in my network, so I know that all the switches can reach the fortigate.

 

My question comes into play because I am attempting to use the x3 interface (with an SFP transceiver from Fortinet) to connect to one of my switches (for example, SW-30). I have fiber run from SW-30 to the MDF in my primary server room, and when I plug in my NetScout, the interface on SW-30 comes up.

When I insert the fiber into x3 on the Fortigate, the interface on SW-30 goes down, and x3 continues to stay down.

At first I thought this was because x3 does not have an IP assigned to it, but when I attempt to put it on 10.Y.X.31 /25 it says I can have it on the same subnet as mgmt.

I will admit I am new to Fortigate products (and firewall configuration as a whole) but I am wondering what I am missing, and I'm not sure why x3 is not coming up.

 

Any suggestions would be appreciated.

1 Solution
AEK
Honored Contributor II

1G with 10G cannot bring your link up unless you set it to auto or 1G.

You can change X interface speed on FG via CLI. Or better, you can use 1G port, since 10G port is expensive so it is a waste to use it for 1G.

Regarding IP conflict, check if your management port is "dedicated to management". You should find this on GUI or on CLI.

AEK

View solution in original post

AEK
10 REPLIES 10
AEK
Honored Contributor II

Hello

  • Check port configuration from both sides if compatible with each others (in my experience auto negotiate is better)
  • Check your cable is multi-mode
  • Ensure that SFPs from both sides are compatible (I already sow a situation where 2 multi-mode SFPs from different vendors were not compatible with each others)

Hope it helps

AEK
AEK
viperpilot
New Contributor

On the Catalyst side we have a GLC-SX-MMD 1000BaseSX SFP

on the Fortigate side we have a FN-TRAN-SFP+SR

the catalyst interface:
Speed: 1000
Duplex: full

x3 on the Fortigate:

Port Speed: 10Gbps full duplex

optical cable is multi mode

I do not see a place in the GUI on the Fortigate where I can set x3 to auto negotiate.

 

Per Cisco documentation: "Negotiation —Usually built-in Gigabit Ethernet ports are capable of negotiation, but in cases like modular SFP or GBIC types, they do not negotiate. Line protocol can be down for a Gigabit Ethernet port when connected to a Fast Ethernet port."

 

Looking at this, should I attempt to force the Fortigate to drop down to 1Gbps full to match the Cisco side?

AEK
Honored Contributor II

1G with 10G cannot bring your link up unless you set it to auto or 1G.

You can change X interface speed on FG via CLI. Or better, you can use 1G port, since 10G port is expensive so it is a waste to use it for 1G.

Regarding IP conflict, check if your management port is "dedicated to management". You should find this on GUI or on CLI.

AEK
AEK
viperpilot
New Contributor

I will look into swapping out the 10Gbps module and try that out. If that doesn't work, I'll dive into the CLI on the Fortigate.

The management port on the Fortigate does have Dedicated Management Port selected. (the slider is green) the trusted Host is 0.0.0.0/0, but I'm pretty sure that just means I can manage the firewall from any device.

AEK
Honored Contributor II

Regarding address, there are few possible ways to resolve the problem. Here are some (in decreasing order of preference):

  1. You can just unconfigure the Mgmt port and enable HTTPS on the other port, since it is already in the Mgmt VLAN
  2. You can put management port in an isolated VRF
  3. Or you can configure FG to allow network overlap (not tested and can't confirm it it will work)

 

AEK
AEK
viperpilot
New Contributor

I swapped the SFP tranciever module from x3 and placed it into port 17 and both interfaces (port 17 on the Fortigate and the catalyst interface) came up.

 

This looks like it has solved the immediate issue. Thank you for your assistance!

dbu
Staff
Staff

Hi @viperpilot ,
What is the configuration n the Fortigate port ?
Are you using a compatible transceiver ?

Try to set the speed and duplex  manually on both sides. 

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
viperpilot
New Contributor

The configuration on x3 is currently default. When I attempted to set an IP(10.Y.X.31 /25) I was given the error message of "Conflicts with mgmt subnet"

All of my network devices live on the 10.Y.X.0 /25 network, so I was under the impression that address the MGMT interface on that subnet so I can manage it like my other network devices. If this is wrong, please let me know.

Toshi_Esumi
Esteemed Contributor III

I'm wondering if the port on the Catalyst switch is "Blocking" state. Check the STP states at the switch like "show spanning-tree" or something like that. We haven't used any Catalyst for long time so I don't remember the command line any more.
If so, you have a spanning-tree loop.

 

Toshi

Labels
Top Kudoed Authors