Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ahamza89
New Contributor

Switch disconnecting frequently

facing an issue with one of the access switch is going offline again and again. 

 

Fortigate as a controller running a on 6.4.9

Core Switch 1048E running v 6.4.11

Access Switch 124F running v6.4.11

 

Ntp is synced. only on switch 124F is having an issue.

 

core switch connected as MCLAG Peers other access swi has below configuration

 

config switch trunk
edit "E48T0000000213-0"   ----->>>>> to another Core SW 1048E
set mode lacp-active
set auto-isl 1
set mclag-icl enable
set members "port45"
next
edit "G6H00000000"  ------->>>  TO Fortigate
set auto-isl 1
set fortilink 1
set mclag enable
set members "port48"
next
edit "4FF00000009417-0"  -------------->>>> Access Sw 124F connected
set mode lacp-active
set auto-isl 1
set mclag enable
set members "port2"
next

 **************************************

************* Troubled switch logs 

 

connectivity

 

ahamza89_2-1662625717884.png

 

 

ahamza89_1-1662625390286.png

 

 

 

 

 

1 Solution
gfleming

6.4 is pretty stable. If all your switches are on same 6.4.11 then keep it that way IMO.

Cheers,
Graham

View solution in original post

18 REPLIES 18
ahamza89

F5-SW-X Trunk Config

ahamza89_2-1662828385981.png

 

F5-SW-Y Trunk Config

ahamza89_3-1662828599122.png

F5-SW-Z Trunk Config

ahamza89_4-1662828786626.png

 

Core-Y Trunk to F5

 

ahamza89_6-1662829248476.png

 

 

 

 

ahamza89

I cannot see 'set mclag enable ' or  'set mclag-icl' command on FortSwitch 124 . on any trunk interfaces

ahamza89_7-1662829934373.png

 

ahamza89_8-1662830636906.png

 

gfleming

OK Right, 100-series do not support MCLAG.

 

Looking more detail at your design, it is strange because everywhere you are configuring LACP trunks with only one port as member. It *should* work but its not necessary. A trunk is intended to bundle multiple interfaces into a single logical interface to provide increased bandwidth and resiliency.

 

Your trunks are just single interfaces so configuring trunks like that is superfluous and you might as well just keep them as regular interfaces.

 

STP will take care of the loop and block the redundant links as you see happening on F5-SW-Z.

 

So yes it makes sense that your switches work it's just a strange configuration using LACP when it's not really needed (I.e. only one link).

 

So why is F7-SW-Y disconnecting? Definitely seems like there is some communication block happening as the ISL times out and STP process begins.

 

Can you confirm if the link is more stable with only one of the interfaces connected on F7-SW-Y?

 

Try connecting only port 28 on F7-SW-Y to port 28 on F7-SW-Z and see how it behaves...

Cheers,
Graham
ahamza89

Means somehow disti switch connectivity is ok.

 

Regarding trunk configuration, I didn’t configure these trunk interfaces, trunk is auto created on both ends as soon as Disti switches connected to core ( auto authorised enabled on fortilink). 

 

will it be good if I extend direct connection from SW-Z to any of the core ( have core-x and core-y) and remove links between disti switches xyz. 

sw-x and sw-y have direct connection to core x&y. 

 

gfleming

oh sorry i get it now yes that's all done automatically by fortilink.

 

so here's the thing you do have MC-LAG enabled core where you *can* create a trunk interface on a downstream switch that connects simultaneously to both core switches. that way you get more bandwidth and resiliency in case one of the core switches goes down. 

 

you can try connecting sw-z to core. try putting one port to core-a and the other to core-b.

Cheers,
Graham
ahamza89

yes. Both Core Switches are on MCLAG Peer.

 

ahamza89_0-1662836339481.png

 

Port 45 connection between Core Switches.

 

ahamza89_1-1662836533713.png

 

Correct me you mean, each downstream switch be connected to both Core Switches? (so here's the thing you do have MC-LAG enabled core where you *can* create a trunk interface on a downstream switch that connects simultaneously to both core switches.)

 

ahamza89_2-1662836921955.png

 

gfleming

Yes that is the benefit of MC-LAG. You can establish a trunk from access switches using two interfaces going to each core switch. 

See here: https://docs.fortinet.com/document/fortiswitch/7.2.1/fortilink-guide/780635/switch-redundancy-with-m...

Cheers,
Graham
ahamza89
New Contributor

What about OS , upgrade is required or the 6.4.11 is best. Fortigate on 6.4.9. 

gfleming

6.4 is pretty stable. If all your switches are on same 6.4.11 then keep it that way IMO.

Cheers,
Graham
Top Kudoed Authors