Troubleshooting Tip: IGMP Snooping not working on FortiSwitch

Before beginning, it is important to go through the below links, it contains important information: 

IGMP snooping

Configuring IGMP-snooping settings

It is recommended to have FortiSwitch on the latest version as there will be bug fixes in the latest releases.

For example:

Bug# 833450 https://docs.fortinet.com/document/fortiswitch/7.2.4/release-notes/255778

Refer to the below use case in this KB article, and follow the configuration and troubleshooting steps.

For example, the issue is that the IPTV multicast is not working, TV is not receiving the streaming service.

Setup:

FortiSwitches are managed by FortiGate.

TV is trying to join multicast address 239.241.1.1.

IPTV receiver and server/sender are on the same VLAN for eg. vlan2.

Refer to configuration and troubleshooting steps:

Configuration on FortiGate:

1. The configuration on vlan2 should be: -

config system interface

    edit vlan2

        set switch-controller-igmp-snooping enable

        set switch-controller-igmp-snooping-proxy enable

    next

end

2. Since the server is on Access 'FSW2', it is necessary to enable IGMP querier on Access 'FSW2'.

config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

        config igmp-snooping

            set local-override enable

            set flood-unknown-multicast disable

                config vlans

                    edit vlan2

                    set querier enable

                    set querier-addr <IPv4_address> <----- This can be the IP address of the vlan2 interface on the FortiGate.

                    set version {2 | 3}

                end

            end

By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to router ports.

If flood-unknown-multicast is enabled, unregistered multicast packets are forwarded to all ports in the VLAN.

Enable this for testing purposes during troubleshooting

3. Disable storm control:

config switch-controller storm-control
 set unknown-unicast enable <----- Disable.
    set unknown-multicast enable <----- disable.
    set broadcast enable <----- disable.
end

Configuration on FortiSwitch: 

4. When an inter-switch link (ISL) is formed automatically in FortiLink mode, the igmp-snooping-flood-reports and mcast-snooping-flood-traffic options are disabled by default.

For example: Refer to the diagram, the ports marked in red are ISLs. Check config on the ISL interface by taking CLI access to each FortiSwitch and executing the below commands:

show switch trunk

show full-config switch interface <trunk name>

•  Notice that these settings are disabled on all ISL trunks except the mclag-ICL trunk interfaces on Core FSW1 and Core FSW2 port3.

set igmp-snooping-flood-reports disable

set mcast-snooping-flood-traffic disable

It is possible to enable these options on the FortiLink trunks of the FortiSwitches for testing purposes during troubleshooting. 

config switch interface

    edit <trunk name>

        set igmp-snooping-flood-reports enable

        set mcast-snooping-flood-traffic enable

    end

Troubleshooting on FortiSwitch: 

1. On all 4 FortiSwtiches, check the below commands: 

get switch igmp-snooping group

On Access FSW1 -> the multicast address learned on port3 is visible.

On Core FSW1, Core FSW2, and Access FSW2 ->Tthe ISL trunks learning the multicast address 239.241.1.1 from Access FSW1 is visible.

On Core FSW1, Core FSW2, and Access FSW1 -> The ISL trunks learning the querier address configured on Access FSW2 is visible.

On Access FSW2 -> The querier learnt on port3 is visible.

2. If any of the FortiSwitch is not learning the IGMP group membership, collect the below outputs: 

diag sys top  -- ctrl + c to stop ( check if the multicast/igmp process is going high or not)

diag debug crashlog read – check for any multicast/igmp crash

If the igmpsnoopingd process is in a stuck state, it is possible to try killing the process:

# fnsysctl ps - check for igmpsnoopingd PID and try to kill the process.

1036 0        45964 S N  /bin/igmpsnoopingd

# diag sys kill 9 1036

3. If the FortiSwitch learns IGMP membership correctly, and still, still facing the issue, connect the sender and receiver on the same FortiSwitch and check if it works or not. If it still does not work, collect the below logs the FortiSwitch , FortiGate config, multicast service details, and network diagram, and open a support ticket.

diag debug report

show full-config

In a network with more FortiSwitches, collect the above logs from the core FortiSwitches and access FortiSwitches where the sender and receiver are connected. In the case of multi-tier mclag-icl setup, collect the logs from distribution FortiSwitches as well.

4. Verify that the multicast address is correct. The server should send the correct multicast address stream and TV should try to join that group. In some cases, IPTV tries to join a different multicast address.
5. Ensure igmp and igmp querier is not enabled on other vlans where its not required.

Disclaimer:

The configuration and troubleshooting approach may vary depending on the Network Setup(FSW topology and multicast service system).