Description
This article describes how to get rid of the incompatible version on downstream FortiGate security fabric error.
Scope
For version 6.2.5.
Solution
Diagram.
- Authorize the root and downstream FortiGate.
This article describes how to get rid of the incompatible version on downstream FortiGate security fabric error.
Scope
For version 6.2.5.
Solution
Diagram.
Configuration.
ROOT FGT – SECURITY FABRIC.
DOWNSTREAM FGT – SECURITY FABRIC.
FORTIANALYZER.
- Authorize the root and downstream FortiGate.
Solution.
- When the ROOT FGT is on 6.2.5.
- Then the DOWNSTREAM FGT is for example on 6.2.4 does not match the ROOT FGT this error will appear:
- Then the DOWNSTREAM FGT is for example on 6.2.4 does not match the ROOT FGT this error will appear:
- To resolve that, upgrade the downstream FortiGate to similar version of the root FortiGate which is 6.2.5 in this case.- Once done,this is on the root FortiGate security fabric status.- It is really important for all FortiGates on security fabric to be on the same version to established a good state on security fabric connectivity.Troubleshooting.
- This shows verbose logging on csfd (daemon responsible for security fabric).# diag debug app csfd -1- Other diagnostics shows the different state of security fabric.
# diag debug enable# diag test app csfd { integer value }- Also when encountering issues on security fabric it is important as well to check if there is any CSFD crash.
1. show stats
2. show plugin status
99. restart
10. show MAC cache status
11. show Slave MAC cache status
20. show FSA setting synchronization status
30. show cached downstream list
40. show slave mac sync status
50. Show Upstream Path.
51. Show list of pending downstream authorizations.
52. Show list of authorized downstream nodes.
60. show key info
80. show SAML cached entries for downstreams
81. delete SAML entries for fabric members.
82. delete and recreate SAML entries for fabric members.
83. Show config versions.# diag debug crashlog read
