Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpatil
Staff
Staff

Created on ‎10-05-2020 03:22 AM Edited on ‎02-01-2023 07:58 AM By Moderator

Article Id 193797

Technical Tip: Managed FortiSwitch shows 'E=config sync error' flag

Description


This article describes how to debug FortiGate not pushing new config to Manage FortiSwitch. 

Scope


Ensure FortiOS and FortiSwitch OS are running on compatible firmware versions as listed in FortiLink Compatibility matrix link below:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/d756e8a9-6d2d-11e9-81a4-005056...

Solution


1) When FortiGate and FortiSwitch are running on incompatible firmware versions, the below command output may show the 'E=configuration sync error' flag:

 

# execute switch-controller get-conn-status


Once verified firmware are compatible and if the issue of is still visible config not getting pushed and switch showing 'E' flag, follow below steps.

2) To verify if FortiGate is pushing new config to FortiSwitch – use below debug logs on FortiGate and FortiSwitch:

 

FortiGate:

 

# diagnose debug application flcfgd -1
# diagnose debug console timestamp enable
# diagnose debug enable

 

FortiSwitch:

 

# diagnose debug cli 8
# diagnose debug console timestamp enable
# diagnose debug enable

 

3) Sample log prints from FortiGate and FortiSwitch when the new FortiSwitch VLAN 30 is created on FortiGate for FortiSwitch.

 

FortiGate side logs:

 

553s:594ms:476us flcfg_configure_switch[5789]:Adding vlan for vlanid(30) vlan(30) switch(S124DP3X16008363) dhcp_snooping(0)
553s:644ms:108us flcfg_configure_switch[5819]:configured switch vlan(30) for S124DP3X16008363

 

FortiSwitch side logs:

 

0: config switch vlan
0: edit 30
0: set description "30"
0: end

 

4) FortiGate and FortiSwitch config sync commands:

 

# execute switch-controller get-conn-status
# execute switch-controller get-sync-status all      <- To check the reason why the switch is showing the 'E'flag.
# diagnose switch-controller trigger config-sync <switch_id>   <- Try to trigger manual sync to the FortiSwitch showing E flag).          

 

Note:

 

The FortiSwitch 1xx models allow enabling DHCP snooping on a maximum of 25 VLANs.

 

Therefore, on the FortiGate if the existing 25 VLANs already have DHCP snooping enabled then the 26th VLAN (DHCP snooping enabled) may not push to the FSW units (including Rugged 1xx series Switches) - this is expected. 

 

Related document:

https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/742bfeaa-71d0-11ed-8e6d-fa163e...

8876
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.