- Switch and Gate Serial Connections
- Changing an interface running speed
- Checking Fortigate HA Syncronization
- Accessing the second Fortigate in a HA pair
- Determine Switch Connection Status
- Determine Switch Syncronization Status
- Diagnose MCLAG connectivity issues
- Gathering Switch debug info
- Add/Edit 802.1x Security Policy
- Debug 802.1X Authentication Errors at the Switch
Switch and Gate Serial Connections
- The fortigates operate on 9600 8N1
- The Switches operate on 115200 8N1
Changing an interface running speed
When changing the speed on a port on the FortiGate it will change the speed of all ports in the at group to that speed.
- config vdom
- edit <VDOM_NAME>
- config sytem interface
- edit port 32
- set speed 10000full
- next
- pressy ‘y’
- end
Checking Fortigate HA Syncronization
Accessing the second Fortigate in a HA pair
Determine Switch Connection Status
Determine Switch Syncronization Status
To check the synch satus of a switch you will first need to get the switch-id
value from the get-con-status
command
above.
Diagnose MCLAG connectivity issues
Diagnostic commands must be run from the switch itself.
Gathering Switch debug info
1. Gather PDU Counters
Run this command several times with interval 2-3 sec. It will check any control packet loop flooding, so need to be run several times. Please do this on the switch that’s causing the issue and all switches connected to that switch.
2. Gather physical port line rantes
Allow this to run for some time at least 1 minute so we can gather data. Please do this on the switch that’s causing the issue and all switches connected to that switch.
3.Diagnose ACL issues
On each mclag-icl switch, first find an unused switch port. Then check switch a1. cl ingress config and create an ACL entry. If the ACL entry could be created/deleted, then no acl issues below.
4. Generate debug report
Run this command on each switch (especially mclag-icl switches and the swithces possibly causing the issue.
5. Check running process
Run this on each switch (especially mclag-icl switches possibly causing the issue)
6. Check MCLAG peer consistencty
This command is included in the diag debug report. Just run it one more time on each mclag-icl switch. And check the “mismatch” trunk. If there are mismatched trunks run the second command.
7. Check Fortigate for crash data
Add/Edit 802.1x Security Policy
802.1x Policies can only be created or edited from the CLI, you can set a policy on a switch port using CLI or GUI after it has beeen configured.
Debug 802.1X Authentication Errors at the Switch
In the even that you are experiencing .1X authentication errors you should first check the logs of your Radius server. In this case FortiAuth is being used, so you can check the debug logs there for Radius Authentication messages.
If the authentication is successful you should see a message:
”"”802.1x authentication successful”””
If you are seeing successful authentication messages at the RADIUS server side, but the client is still failing to authenticate you must check at the switch level.
- SSH into the switch that the user is physically connecting to.
- execute diag debug enable
- execute diag debug application fnbamd 255
- Connect the system again and you will see the full list of messages
- execute diag debug disable when you are finished.