Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎08-25-2009 08:21 AM

Article Id 197828

Troubleshooting Tip: Error message "Interface switch is in use" or "Interface internal is in use" or "Entry is used" when changing internal-switch-mode

Description
The error message in the following CLI configuration example may appear when trying to change a Fortigate internal interface to switch or interface or hub mode :

FGT60B # config system global
FGT60B (global) # set internal-switch-mode interface
FGT60B (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n)y

Interface internal is in use
attribute set operator error, -23, discard the setting
Command fail. Return code -23
 
When making this change from the GUI, the message "Entry is used" will be displayed
 
 
Note about switch mode :
The internal interface is a switch with either four or six physical interface connections, depending on the FortiGate model. Normally the internal interface is configured as a single interface shared by all physical interface connections - a switch.
For further details about switch mode please consult the appropriate FortiGate Administration Guide or the release notes.

Scope
FortiWiFi 60B
FortiGate 60B
FortiGate 100A  (Rev2.0 and higher)
FortiGate 200A  (Rev2.0 and higher)

Solution
The root cause can be some dependencies existing between the internal interface and other objects (DHCP settings, Firewall Policies), that will prevent this change.

To verify if other objects are referring to the internal interface, the diagnose command "diagnose sys checkused "can be used.
This is an example on a FortiGate 60B with a default configuration, and we are looking at all dependencies for the interface called "internal"
 

FGT60B # diagnose sys checkused system.interface.name internal
entry used by table system.dhcp.server:name 'internal_dhcp_server'
entry used by table firewall.policy:policyid '1'
entry used by table router.static:seq-num '1'

The analysis of the above output is the following :
 

Message

Description

entry used by table system.dhcp.server:name 'internal_dhcp_server' There is a DHCP server called 'internal_dhcp_server' enabled on the "internal" interface
entry used by table firewall.policy:policyid '1' There is a Firewall Policy (ID 1) that refers to "internal"
entry used by table router.static:seq-num '1' There is a static route (entry 1) that refers to "internal"
 
You will need to delete all the above settings in order to be able to apply the change.

Related Articles

Troubleshooting Tip : verifying FortiGate configuration objects references and dependencies with the...

54082
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.