Skip to Content

How to Fix FortiGate/FortiSwitch sync issues with certificate map on v7.4.4

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes that after mapping a certificate on the FortiSwitch , the below sync error appears on the FortiGate.

Scope

Syncup error between FortiGate and FortiSwitch on v7.4.X.

Solution

Issue State:

4season-FW # execute switch-controller get-sync-status all
Managed-devices in current vdom root:

FortiLink interface : fortilink
SWITCH-ID (SERIAL) STATUS CONFIG MAC-SYNC HTTP-UPGRADE
4Seasons-Switch (S148FFTFxxxxxxxx) Up Error Error -

[1]
command: https://192.168.0.2:443/api/v2/login
payload:
result : REST API login failed with error 60

Solution: Add CA to FortiGate. Not to the local server and on FortiSwitch as below:

FortiGate CLI:

config switch-controller system
set tunnel-mode moderate
end

Note:

As per the design tunnel mode is set from strict to moderate.

FortiGate-60F # execute vpn certificate ca import tftp /temp/path/filename IP
Done.
FortiGate-60F # show vpn certificate ca CA_Cert_1
config vpn certificate ca
edit "CA_Cert_1"
set range global
next
end
FortiGate-60F # show switch-controller system
config switch-controller system
set tunnel-mode moderate
end
FortiGate-60F # execute switch-controller get-conn-status
Managed-devices in current vdom root:
FortiLink interface : fortilink
SWITCH-ID VERSION STATUS FLAG ADDRESS JOIN-TIME SERI
S426EFTF19000012 v7.4.2 (801) Authorized/Up 2 10.255.1.2 Thu Apr 25 15:49:39 2024 S426EFTF19000012
Flags: C=config sync, U=upgrading, S=staged, D=delayed reboot pending, E=config sync error, 2=L2, 3=L3, V=VXLAN, T=tunnel, X=External
Managed-Switches: 1 (UP: 1 DOWN: 0 MAX: 24)
FortiGate-60F # get sys status
Version: FortiGate-60F v7.4.2,build2571,231219 (GA.F)

FortiSwitch CLI:

S426EFTFxxxxxxx # execute certificate local import tftp <filename> <ip>
Done.
S426EFTF19-----2# show system certificate local
config system certificate local
edit "filename"
set password ENC wuPp7AGYkncE2QblJ6pjdyed1MfVG+dVhJ6sy9aDP+B50ykGwPsa5R7DcKrd6b2SfhidSZg1vN9NLlssOHthDyCWAfzpx6MNRo9j8ojJY0FsU1kTk/r/71KGva5RldCZODJBII5FtN5pvJhj8znzythf8XX8O/UwWzbGEDJ+H4uOUnfE
next
end
S426EFTF19-----2# show system certificate remote
S426EFTF19-----2# show system certificate ca
config system certificate ca
end
S426EFTF19-----2# show system web
config system web
set https-server-cert "filename"
set https-ssl-versions tlsv1-3
end
S426EFTF19-----2 # get sys status
Version: FortiSwitch-M426E-FPOE v7.4.2,build0801,231207 (GA)