Troubleshooting and support
The FortiSwitch unit provides various features for troubleshooting and support.
This chapter covers the following topics:
- Dashboard
- Virtual wire
- TFTP network port
- Cable diagnostics
- Selective packet sampling
- Packet capture
- Network monitoring
- Flow tracking and export
- Identifying a specific FortiSwitch unit
Dashboard
The dashboard displays your FortiSwitch management mode and shows the current values for the following:
- CPU
- RAM
- Temperature for FortiSwitch models that have temperature sensors
- PoE (on FortiSwitch PoE models)
- Bandwidth
- Losses
Operation mode
The Operation Mode field shows whether the FortiSwitch unit is managed by a FortiGate unit.
When the FortiSwitch unit is in FortiLink mode, a message is displayed above the dashboard, and the Operation Mode is “Remote Management.”
When the FortiSwitch unit is in standalone mode, the Operation Mode is “Local Management.”
Select Remote Management or Local Management to go to the Config > Management Mode page, where you can switch between FortiLink mode and standalone mode.
FortiSwitch Cloud
The FortiSwitchCloud field shows whether the FortiSwitch unit is managed by FortiSwitch Cloud. A FortiSwitch unit must be in standalone mode to be manged by FortiSwitch Cloud. For more details about using FortiSwitch Cloud, refer to the FortiSwitch Cloud Administration Guide.
Select Connected to go to the System > FortiSwitchCloud page.
Select Enable and then select Advanced Settings to configure your FortiSwitch unit to be managed by FortiSwitch Cloud.
To switch to FortiSwitch Cloud management:
- On the FortiSwitchCloud page, select Enable and then select Advanced Settings.
- By default, the Name field is set to
fortiswitch-dispatch.forticloud.com, the domain name for FortiSwitch Cloud. No change is needed. - By default, the Port field is set to 443, the port number used to connect to FortiSwitch Cloud. No change is needed.
- In the Interval (Seconds) field, enter the time in seconds allowed for domain name system (DNS) resolution. The default is 15 seconds. The range of values is 3-300 seconds.
- Select Update to save your changes.
Bandwidth
The Bandwidth graphs show the inbound and outbound bandwidth for the entire FortiSwitch unit over a day and over a week. The Average Per Interface bar chart shows the average bandwidth (inbound bandwidth plus outbound bandwidth) for each interface over a day and over a week; only the interfaces with the highest bandwidth are displayed.
Losses
The Losses graphs show the inbound errors, outbound errors, inbound drops, and outbound drops for the entire FortiSwitch unit over a day and over a week.
Virtual wire
Some testing scenarios might require two ports to be wired 'back-to-back'. Instead of using a physical cable, you can configure a virtual wire between two ports. The virtual wire forwards traffic from one port to the other port with minimal filtering or modification of the packets.
Notes:
- ACL mirroring is not supported.
- You can select ports that are already ingress and egress mirror sources.
Using the GUI:
- Go to Switch > Virtual Wires.
- Select Add Virtual Wire to create a new virtual wire.
- Enter a name and select the ports for first member and second member.
- Select Add to save the changes.
Using the CLI:
Use the following commands to configure a virtual wire:
config switch virtual-wire
edit <virtual-wire-name>
set first-member <port-name>
set second-member <port-name>
set vlan <vlan-id>
next
end
Virtual wire ports set a special Tag Protocol Identifier (TPID) in the VLAN header. The default value is 0xdee5, a value that real network traffic never uses.
Use the following commands to configure a value for the TPID:
config switch global
set virtual-wire-tpid <hex value from 0x0001 to 0xFFFE>
end
Use the following command to display the virtual wire configuration:
diagnose switch physical-ports virtual-wire list
port1(1) to port2(2) TPID: 0xdee5 VLAN: 4011 port3(3) to port4(4) TPID: 0xdee5 VLAN: 4011 port5(5) to port25(25) TPID: 0xdee5 VLAN: 4011 port7(7) to port8(8) TPID: 0xdee5 VLAN: 4011
NOTE:
- Ports have ingress and egress VLAN filtering disabled. All traffic (including VLAN headers) is passed unchanged to the peer. All egress traffic is untagged.
- Ports have L2 learning disabled.
- Ports have their egress limited to their peer and do no allow egress from any other ports.
- The system uses TCAM to force forwarding from a port to its peer.
- The TCAM prevents any copy-to-cpu or packet drops.
TFTP network port
When you power on the FortiSwitch unit, the BIOS performs basic device initialization. When this activity is complete, and before the OS starts to boot, you can click any key to bring up the boot menu.
From the menu, click the "I" key to configure TFTP settings. With newer versions of the BIOS, you can specify the network port (where you have connected your network cable). If you are not prompted to specify the network port, you must connect your network cable to the default network port:
- If the switch model has a WAN port, the WAN port is the network port.
- If the switch has no WAN port, the highest port number is the network port.
Cable diagnostics
NOTE: There are some limitations for cable diagnostics on the FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE models:
- Crosstalk cannot be detected.
- There is a 5-second delay before results are displayed.
- The value for the cable length is inaccurate.
- The results are inaccurate for open and short cables.
You can check the state of cables connected to a specific port. The following pair states are supported:
- Open
- Short
- Ok
- Open_Short
- Unknown
- Crosstalk
If no cable is connected to the specific port, the state is Open, and the cable length is 0 meters.
For supported models, see Supported models.
Using the GUI:
- Go to Switch > Port > Physical.
- Select Cable Diagnostic for the appropriate port.
- Select Continue to start the cable diagnostics.
NOTE: Running cable diagnostics on a port that has the link up will interrupt the traffic for several seconds. - Select Back to Physical Ports to close the Cable Diagnostics window.
Using the CLI:
Use the following command to run a time domain reflectometry (TDR) diagnostic test on cables connected to a specific port:
diagnose switch physical-ports cable-diag <physical port name>
NOTE: Running cable diagnostics on a port that has the link up will interrupt the traffic for several seconds.
For example:
# diagnose switch physical-ports cable-diag port1
port1: cable (4 pairs, length +/- 10 meters)
pair A Open, length 0 meters
pair B Open, length 0 meters
pair C Open, length 0 meters
pair D Open, length 0 meters
Use the following command to check the medium dependent interface crossover (MDI-X) interface status for a specific port:
diagnose switch physical-ports mdix-status <physical port name>
For example:
# diagnose switch physical-ports mdix-status port1
port1: MDIX(Crossover)
Selective packet sampling
NOTE: This feature is not supported on FS-3032.
During debugging, you might want to see whether a particular type of packet was received on an interface on the switch.
- Set up an access control list (ACL) on the switch with the interface that you want to monitor. See Access control lists . This ACL is the ingress interface.
- Set up a mirror for the “internal” interface.
For example, if you want to monitor interface port17 for any IP packet (ether-type 0x800) with a destination subnet of 10.10.10/24 and a source subnet of 20.20.20/24, use the following commands.
# show switch acl ingress
config switch acl ingress
edit 1
config action
set mirror "internal"
end
config classifier
set dst-ip-prefix 10.10.10.0 255.255.255.0
set ether-type 0x0800
set src-ip-prefix 20.20.20.0 255.255.255.0
end
set ingress-interface "port17"
set status active
next
end
To examine the packets that have been sampled in the example, use the following command:
# diagnose sniffer packet sp17 none 6
Packet capture
When troubleshooting networks, it helps to look inside the header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet capture is also called a network tap, packet sniffing, or logic analyzing.
To capture packets:
- Create a packet-capture profile.
- Start the packet capture.
- Pause or stop the packet capture.
- Display or upload the packet capture.
- Delete the packet-capture file.
The maximum number of packet-capture profiles and the RAM disk size allotted for packet captures are different for the various platforms:
|
Platform |
Maximum number of profiles |
RAM disk size in MB |
|---|---|---|
|
1xx |
8 |
20 |
|
2xx |
8 |
50 |
|
4xx |
16 |
75 |
|
5xx |
16 |
100 |
|
1xxx |
16 |
100 |
|
3xxx |
16 |
100 |
Create a packet-capture profile
To specify which packets to capture, define a filter and select a switch or system interface on which to capture the packets. You cannot select both a switch interface and a system interface.
The filter uses flexible logic. For example, if you want packets using UDP port 1812 between hosts named forti1 and either forti2 or forti3:
'udp and port 1812 and host forti1 and \( forti2 or forti3 \)'
You can specify the number of packets to capture and the maximum packet length to be captured. The maximum number of packets that can be captured depends on the RAM disk size.
Using the GUI:
- Go to System > Packet Capture.
- Select Add Packet Capture.
- Enter a name for the packet-capture profile.
- Select the switch or system interface that you want to capture packets on.
- Enter how many packets to capture on the selected interface.
- Enter the maximum packet length in bytes to capture on the interface.
- If you want to use a filter to select which packets to capture, select the Filter checkbox.
- If you want to filter by hosts, enter the IP addresses, separated with commas.
- If you want to filter by ports, enter port numbers or ranges, separated with commas.
- If you want to filter by VLANs, enter VLAN numbers, separated with commas.
- If you want to filter by protocols, enter the numbers, separated with commas.
- Select Add.
Using the CLI:
config system sniffer-profile
edit <profile_name>
set filter {<string> | none}
set max-pkt-count <1-maximum>
set max-pkt-len <64-1534>
set switch-interface <switch_interface_name>
set system-interface <system_interface_name>
end
For example:
config system sniffer-profile
edit profile1
set filter none
set max-pkt-count 100
set max-pkt-len 100
set system-interface mgmt
end
Start the packet capture
After you create a packet-capture profile, you can start the packet capture.
Using the GUI:
- Go to System > Packet Capture.
- Select
.
Using the CLI:
execute system sniffer-profile start <profile-name>
For example:
execute system sniffer-profile start profile1
Pause or stop the packet capture
A packet capture continues to run until the max-pkt-cnt value is reached, or the packet capture is paused or stopped. You can restart a paused packet capture.
Using the GUI:
Go to System > Packet Capture.
- To pause a running packet capture, select
. - To resume a paused packet capture, select .
Using the CLI:
To pause a running packet capture:
execute system sniffer-profile pause <profile_name>
To restart a paused packet capture:
execute system sniffer-profile start <profile-name>
To stop a running packet capture:
execute system sniffer-profile stop <profile-name>
Display or upload the packet capture
You can display parsed information from the packet capture or upload the .pcap file to a TFTP or FTP server for further analysis.
Using the GUI:
- Go to System > Packet Capture.
- Select
.The
.pcapfile is saved in your Downloads folder.
Using the CLI:
To display the packet capture from a specific packet-capture profile:
get system sniffer-profile capture <profile_name>
To upload the .pcap file for a specific packet-capture profile to an FTP server:
execute system sniffer-profile upload ftp <profile_name> <packet_capture_file_name.pcap> <FTP_server_IP_address:<optional_port>>
To upload the .pcap file for a specific packet-capture profile to a TFTP server:
execute system sniffer-profile upload tftp <profile_name> <packet_capture_file_name.pcap> <TFTP_server_IP_address:<optional_port>>
Delete the packet-capture file
After you have examined the packet capture, you can manually delete the .pcap file. You can only delete the .pcap after the packet capture is stopped. You cannot delete the .pcap file if the packet capture is paused or running. All .pcap files are deleted when you power cycle the switch.
Using the GUI:
- Go to System > Packet Capture.
- Select
.
To delete all packet-capture files, select Select All and then select Delete.
Using the CLI:
execute system sniffer-profile delete-capture <profile_name>
For example:
execute system sniffer-profile delete-capture profile1
Network monitoring
You can monitor specific unicast MAC addresses in directed mode, monitor all detected MAC addresses on a FortiSwitch unit in survey mode, or do both. The FortiSwitch unit gives the directed mode a higher priority than survey mode. The directed mode and survey mode are disabled by default.
NOTE: Network monitoring is not available on FSR-112D-POE.
Directed mode
In directed mode, you select which unicast MAC addresses that you want examined. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.
NOTE: You cannot specify broadcast or multicast MAC addresses.
The maximum number of MAC addresses that can be monitored depends on the FortiSwitch model.
|
Platform Series |
Maximum Number of MAC Addresses Monitored |
Maximum Number of Hosts |
|---|---|---|
|
1xx, 2xx |
10 |
250 |
|
4xx, 5xx |
20 |
1,024 |
|
10xx, 30xx |
30 |
4,096 |
To find out how many network monitors are available, use the following command:
diagnose switch network-monitor cfg-stats
Network Monitor Configuration Statistics:
----------------------------------
Adds : 0
Deletes : 0
Free Entries : 20
To find out which network monitors are being used currently, use the following command:
diagnose switch network-monitor dump-monitors
Entry ID Monitor Type Monitor MAC Packet-count ================================================================= 1 directed-mode 00:01:02:03:04:05 10 2 directed-mode 10:01:02:03:04:05 0 3 survey-mode 08:5b:0e:c1:07:65 419 4 survey-mode 08:5b:0e:4f:af:38 101 5 survey-mode 08:5b:0e:ce:59:40 2347 6 survey-mode 08:5b:0e:4f:af:44 0 7 survey-mode 08:5b:0e:c1:07:65 0 8 survey-mode 08:5b:0e:4f:af:38 80 9 survey-mode 08:5b:0e:ce:59:40 117 10 survey-mode 08:5b:0e:4f:af:44 0
To start network monitoring, use the following commands:
config switch network-monitor settings
set status enable
end
To specify a single unicast MAC address (formatted like this: xx:xx:xx:xx:xx:xx) to be monitored, use the following commands:
config switch network-monitor directed
edit <unused network monitor>
set monitor-mac <MAC address>
next
end
For example:
config switch network-monitor directed
edit 1
set monitor-mac 00:25:00:61:64:6d
next
end
Survey mode
In survey mode, the FortiSwitch unit detects MAC addresses to monitor for a specified number of seconds. You can specify network monitoring for 120 to 3,600 seconds. The default time is 120 seconds. The FortiSwitch unit detects various fields of the packet—such as MAC address, IP address, VLAN, and user name—and stores the data in either of two databases.
To start network monitoring in survey mode, use the following commands:
config switch network-monitor settings
set status enable
set survey-mode enable
set survey-mode-interval <120-3600 seconds>
end
For example:
config switch network-monitor settings
set status enable
set survey-mode enable
set survey-mode-interval 480
end
Network monitoring statistics
After you have enabled network monitoring, you can view the statistics for the number and types of packets.
To see the type of packets going to and from monitored MAC addresses, use the following command:
diagnose switch network-monitor parser-stats
Network Monitor Parser Statistics:
----------------------------------
Arp : 0
Ip : 1
Udp : 46
Tcp : 353
Dhcp : 0
Eapol : 0
Unsupported : 352
To see the number of packets going to and from monitored MAC addresses, use the following command:
diagnose switch network-monitor dump-monitors
Entry ID Monitor Type Monitor MAC Packet-count ================================================================= 1 directed-mode 00:01:02:03:04:05 10 2 directed-mode 10:01:02:03:04:05 0 3 survey-mode 08:5b:0e:c1:07:65 419 4 survey-mode 08:5b:0e:4f:af:38 101 5 survey-mode 08:5b:0e:ce:59:40 2347 6 survey-mode 08:5b:0e:4f:af:44 0 7 survey-mode 08:5b:0e:c1:07:65 0 8 survey-mode 08:5b:0e:4f:af:38 80 9 survey-mode 08:5b:0e:ce:59:40 117 10 survey-mode 08:5b:0e:4f:af:44 0
NOTE: The FortiSwitch unit creates an entry in the layer-3 database using the exact packet contents when they were parsed. If the MAC address is then assigned to a different VLAN, this change might not be detected immediately. If there is a discrepancy in the output for the diagnose switch network-monitor dump-l2-db and diagnose switch network-monitor dump-l3-db commands, use the output with the more recent time stamp.
To see all detected devices from the layer-2 database, use the following command:
diagnose switch network-monitor dump-l2-db
mac 00:01:02:03:04:05 vlan 1
created 19 secs ago, last seen 16 secs ago
user JoE sources: eapol
To see all detected devices from the IP address database, use the following command:
diagnose switch network-monitor dump-l3-db
mac 08:5b:0e:c1:07:65 ip 169.254.2.2 vlan 4094
created 63614 secs ago, last seen 2 secs ago
sources: arp ip
mac 00:10:20:30:40:50 ip 10.10.10.111 vlan 123
created 75 secs ago, last seen 45 secs ago
sources: arp ip
mac 00:11:22:33:44:55 ip 30.30.30.115 vlan 1
created 53 secs ago, last seen 53 secs ago
sources: dhcp arp ip
Flow tracking and export
NOTE:
- Flow export is supported on FortiSwitch models 2xx and higher.
- Layer-2 flows for NetFlow version 1 and NetFlow version 5 are not supported.
- For 2xxE models and higher, flow export uses psudorandom sampling (approximately 1 of x packets).
You can sample IP packets on a FortiSwitch unit and then export the data in NetFlow format or Internet Protocol Flow Information Export (IPFIX) format.
The maximum number of concurrent flows is defined by the FortiSwitch model. When this limit is exceeded, the oldest flow expires and is exported.
To use flow export, you need to enable packet sampling and then configure the flow export.
Enabling packet sampling
To use flow export, you must first enable packet sampling for each switch port and trunk:
config switch interface
edit <interface>
set packet-sampler enabled
set packet-sample-rate <0-99999>
end
Configuring flow export
Using the GUI:
- Go to System > Flow Export > Configure.
- Configure the collector.
- Required. In the IP Address field, enter the IP address for the collector. When the value is “0.0.0.0” or blank, the feature is disabled.
- In the Port field, enter the port number for the collector. The default port for NetFlow is 2055; the default port for IPFIX is 4739.
- In the Transport field, select SCTP, TCP, or UDP for the transport of exported packets.
- Configure the flow export options.
- In the Format drop-down list, select the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
NOTE: When the export format is NetFlow version 5, the sample rate used in the exported packets is derived from the lowest port number where sampling is enabled. Fortinet recommends that administrators using NetFlow version 5 set the sample rate consistently across all ports. - In the Identity field, enter a unique number to identify which FortiSwitch unit the data originates from. If the identity is not specified, the “Burn in MAC” value is used instead (from the
get system statuscommand output). - In the Level field, select the flow-tracking level from one of the following:
—When you select IP, the FortiSwitch unit collects the source IP address and destination IP address from the sample packet.
—When you select MAC, the FortiSwitch unit collects the source MAC address and destination MAC address from the sample packet.
—When you select Port, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, and protocol from the sample packet.
—When you select Protocol, the FortiSwitch unit collects the source IP address, destination IP address, and protocol from the sample packet.
—When you select VLAN, the FortiSwitch unit collects the source IP address, destination IP address, source port, destination port, protocol, and VLAN from the sample packet. - In the Max Export Packet Size (Bytes) field, enter the maximum size of exported packets in the application level.
- In the Format drop-down list, select the format of the exported flow data as NetFlow version 1, NetFlow version 5, NetFlow version 9, or IPFIX sampling.
- Configure the timeouts.
- In the General field, enter the general timeout in seconds for the flow session.
- In the ICMP field, enter the ICMP timeout for the flow session.
- In the Max field, enter the maximum number of seconds before the flow session times out.
- In the TCP field, enter the TCP timeout for the flow session.
- In the TCP FIN field, enter the TCP FIN flag timeout for the flow session.
- In the TCP RST field, enter the TCP RST flag timeout for the flow session.
- In the UDP field, enter the UDP timeout for the flow session.
- Configure the aggregates.
- Select +.
- In the ID field, enter a number to identify the entry or use the default value.
- Required. In the IP/Netmask field, enter the IPv4 address and mask to match. All matching sessions are aggregated into the same flow.
- To add another entry, select +.
- Select Update.
Using the CLI:
config system flow-export
set collector-ip <IPv4_address>
set collector-port <port_number>
set format {netflow1 | netflow5 | netflow9 | ipfix}
set identity <hexadecimal>
set level {ip | mac | port | proto | vlan}
set max-export-pkt-size <integer>
set timeout-general <integer>
set timeout-icmp <integer>
set timeout-max <integer>
set timeout-tcp <integer>
set timeout-tcp-fin <integer>
set timeout-tcp-rst <integer>
set timeout-udp <integer>
set transport {sctp | tcp | udp}
config aggregates
edit <id>
set ip <IPv4_address_mask>
end
end
Viewing the flow-export data
Using the GUI:
Go to System > Flow Export > Monitor.
Using the CLI:
You can display the flow-export data or raw data for a specified number of records or for all records. You can also display statistics for flow-export data.
get system flow-export-data flows {all | <count>} {ip | subnet | mac | all} <switch_interface_name>
get system flow-export-data flows-raw {all | <count>} {ip | subnet | mac | all} <switch_interface_name>
get system flow-export-data statistics
NOTE: Layer-2 flows for netflow1 and netflow5 are not supported. For the output of the get system flow-export-data statistics command, the Incompatible Type field displays how many flows are not exported because they are not supported.
Deleting the flow-export data
Use the following commands to delete or expire all flow-export data:
diagnose sys flow-export delete-flows-all
diagnose sys flow-export expire-flows-all
Identifying a specific FortiSwitch unit
When you have multiple FortiSwitch units and need to locate a specific switch, use the following command to flash all port LEDs on and off for a specified number of minutes:
diagnose switch physical-ports led-flash <disable | time>
You can flash the port LEDs for 5, 15, 30, or 60 minutes. After you locate the FortiSwitch unit, you can use disable to stop the LEDs from flashing.
NOTE: For the FS-5xx switches, the diagnose switch physical-ports led-flash command flashes only the SFP port LEDs, instead of all the port LEDs.