Description
This article is a FortiSwitch Troubleshooting Guide. 3 main points will be presented:
- Unable to authorize FortiSwitch.
- FortiSwitch is not online on FortiGate.
- Second FortiSwitch is not coming online or flapping.
Scope
FortiSwitch.
Solution
- Unable to authorize FortiSwitch.
If it is possible to see the FortiSwitch on the FortiGate web interface but are unable to Authorize the FortiSwitch, follow below steps:
- Go to Wifi & Switchcontroller --> Managed Fortiswitches, select Authorize on FortiSwitch, and if the FortiSwitch is still in an Unauthorized state check below
- Go to Wifi & Switchcontroller --> Fortiswitch Vlans
- Check for vlanid 1, with the name default.<interface_name> or vsw.<interface_name>. For example, If the interface name is ForitLink, default.fortilink or vsw.fortlink)
- The vlanid for this interface has to be 1 and the name should not be changed.
- If this VLAN is missing, Go to FortiGate --> Network --> Interfaces. Check for any unused or duplicate VLAN's with VlanID 1 and name default.fortilink or vsw.fortilink. These entries need to be deleted.
- If the FortiSwitch is still not able to authorize after the above step, Go to Wifi & Switchcontroller --> Fortiswitch Vlans and manually create a Vlan with VlanId 1 and name this as default.<interface_name>
- Try to authorize FortiSwitch, after the above step.
If the issue persists after the above steps, contact Technical support with the output of the following commands from FortiSwitch and FortiGate,
FortiSwitch CLI:
show full
diag debug repor
FortiGate CLI:
execute switch-controller get-conn-status
execute switch-controller diagnose-connectio
config switch-controller managed-switch
edit <switch_serial_number>
set fsw1-wan-admin enable <----- Shows an error with the reason for the authorization issue.
end
- FortiSwitch is not online on FortiGate.
If this is a brand new FortiSwitch and it is not not coming online on FortiGate, follow below steps for troubleshooting
On FortiGate:
- NTP needs to be local for the Fortilink interface.
- DHCP must be enabled for the FortiLink interface.
On FortiSwitch:
get sys interface<----- Make sure the internal interface is getting the IP Address from FortiLink. If not, check if internal is set to be DHCP.
S224EXXXXXXXX # config system interface
S224EXXXXXXXX (interface) # edit internal
S224EXXXXXXXX internal) # show
config system interface
edit "internal"
set mode dhcp <----- Set to DHCP.
set allowaccess ping https ssh
set type physical
set snmp-index 30
set defaultgw enable
next
end
diagnose switch physical-port summary <----- Uplink port and internal must be on 4094.
S224EXXXXXXXX # diagnose switch physical-ports summary
Portname Status Tpid Vlan Duplex Speed Flags Discard
__________ ______ ____ ____ ______ _____ ____________ _________
port24 up 8100 4094 full 1G QS,TL, none
internal up 8100 4094 full 1G QS, , none
diagnose switch trunk summary <----- Trunk should be auto-configured with FortiGate.
S224E********** # diagnose switch trunk summary
Trunk Name Mode PSC MAC Status Up Time
________________ ________________________________ ___________ _________________ ___________ _________________________________
G100FTK****** lacp-active(isl) src-dst-ip E8:1C:BA:AF:82:03 up(1/1) 0 days,23 hours,48 mins,32 secs
If the above 2 steps fail, Check if the below settings are configured on FortiSwitch.
- If FortiSwitch is above V7.2.0:
config switch auto-network
set mgmt-vlan 4094
set status enable
end
If the FortiSwitch is below V7.2.0:
config system global
set switch-mgmt-mode fortilink
end
- Check lldp-profile on FortiSwitch uplink port:
config switch physical-port
(physical-port) # edit port24 <-----Uplink Port.
(port24) # set lldp-profile default-auto-isl
(port24) # end
- Check the NTP Status on the FortiSwitch. NTP needs to be in sync with the FortiGate:
S224E********* # diagnose sys ntp status
synchronized: yes, ntpsync: enabled, server-mode: disabled
ipv4 server(169.254.1.1) 169.254.1.1 -- reachable(0xfd) S:0 T:14 selected
server-version=4, stratum=3
reference time is e8e68d7f.b82b8507 -- UTC Fri Oct 27 19:26:55 2023
clock offset is -0.012170 sec, root delay is 0.059586 sec
root dispersion is 0.010345 sec, peer dispersion is 431 msec
- If NTP is not in sync, check below configs:
config sys ntp
set ntpsync enable <----- Needs to be enabled.
config ntpserver
edit 0
set server <fortilink_ip_address>
end
If FortiSwitches are still not up after above, see below:
diag switch phyiscal-port linerate <port_no><----- check if both tx,rx traffic are visible on the port.
diag switch phyiscal-port linerate up<----- Check If the tx total and rx total is the same. If not, there might be a possible loop or broadcast in the network.
- Reboot FortiGate and FortiSwitch. This restarts the CAPWAP daemon.
If the issue persists after the above steps, contact Technical support with the output of the following commands from FortiSwitch and FortiGate:
FortiSwitch CLI:
show full
diag debug report
diag debug crashlog read
FortiGate CLI:
execute switch-controller get-conn-status
execute switch-controller diagnose-connection
config sys interfac
edit fortilink
show full
end
- Second FortiSwitch is not coming online or flapping.
On FortiGate.
Make sure the topology is supported and is listed below:
Determining the network topology
If 2 FortiSwitches are directly connected to the FortiLink interface (Aggregate interface), there must be a cable connected between the Fortiswitches with 'split-interface' enabled on the FortiLink.
Split interface setting, will put one of the interfaces in 'down' status and this acts as a backup link to the Fortigate. This will only become active when the other interface fails.
config sys interface
edit Fortilink
set members x1 x2
set fortilink-split-interface enable
end
If the issue still persists after the above refer to 2., FortiSwitch is not coming online.
