Comments on: FortiGate/Cisco Layer 2 woes http://www.108.bz/posts/it/fortigate-cisco-layer-2-woes/ Wandering futilities... Fri, 20 Jan 2012 13:06:19 +0000 hourly 1 http://wordpress.org/?v=3.1.1 By: Giuliano http://www.108.bz/posts/it/fortigate-cisco-layer-2-woes/comment-page-1/#comment-4129 Giuliano Wed, 06 Apr 2011 09:30:13 +0000 http://www.108.bz/?p=103#comment-4129 Thank you Dan for yet another update. Never experienced such a behaviour though. The issues I had have always been solved by turning off auto negotiation. As for Fortigate TAC, I share your feelings. It's a pity because the boxes themselves are quite nice (compared to other UTM devices in the same market/price segment). ciao, -- Giuliano Thank you Dan for yet another update. Never experienced such a behaviour though. The issues I had have always been solved by turning off auto negotiation.
As for Fortigate TAC, I share your feelings. It’s a pity because the boxes themselves are quite nice (compared to other UTM devices in the same market/price segment).

ciao,

Giuliano

]]> By: Dan http://www.108.bz/posts/it/fortigate-cisco-layer-2-woes/comment-page-1/#comment-4048 Dan Thu, 31 Mar 2011 06:31:34 +0000 http://www.108.bz/?p=103#comment-4048 Hi Giuliano, Thanks for replying, I lost this link and couldn't find it, but I somehow found this again from google today. The problem I am having is kind of solved... The problem is caused by both FortiGate 60Bs and the Cisco/Linisys switches that we are using. The Cisco/Linksys (SRW224G4P) switch have a weird bug that will sometimes lock up and as soon as it locks up, all the ports on the switch will stop working and you can't ping or remote access the switch at all! Recently I found that this might be caused by mismatch of duplex setting between the switch and the device connecting to it (PS. I am already using latest version of firmeware - v1.3.1 for the switch). The problem on the FortiGate is that it just won't able to connect to the switch with 100full, the switch would connect to FortiGate with 100half and FortiGate would connect to the switch with 100full. After a while of running, the switch would lock up. This happened to Cisco 1800 router as well. The setting on the router is 100full and switch is running with 100half, when this happens, the switch will lock up at least twice a day! One last thing, if you have a chance, try run the following two commands on the FortiGate: Global mode: diagnose hardware deviceinfo nic dmz Vdom mode: get system interface physical I get different duplex results from these 2 commands!! One says half duplex and another says full duplex!! To be honest, I had so many of these type of bugs with FortiGate, I am really getting sick and tired of them... And not to mention the speed and ability of their TAC support, it's slow and unhelpful most of the time. So my solution is to set the connection between the FortiGate and Cisco/Linksys switch to 100half, that seems to fix the problem. Cheers, Dan Hi Giuliano,

Thanks for replying, I lost this link and couldn’t find it, but I somehow found this again from google today.
The problem I am having is kind of solved… The problem is caused by both FortiGate 60Bs and the Cisco/Linisys switches that we are using. The Cisco/Linksys (SRW224G4P) switch have a weird bug that will sometimes lock up and as soon as it locks up, all the ports on the switch will stop working and you can’t ping or remote access the switch at all! Recently I found that this might be caused by mismatch of duplex setting between the switch and the device connecting to it (PS. I am already using latest version of firmeware – v1.3.1 for the switch). The problem on the FortiGate is that it just won’t able to connect to the switch with 100full, the switch would connect to FortiGate with 100half and FortiGate would connect to the switch with 100full. After a while of running, the switch would lock up. This happened to Cisco 1800 router as well. The setting on the router is 100full and switch is running with 100half, when this happens, the switch will lock up at least twice a day!
One last thing, if you have a chance, try run the following two commands on the FortiGate:

Global mode:
diagnose hardware deviceinfo nic dmz

Vdom mode:
get system interface physical

I get different duplex results from these 2 commands!! One says half duplex and another says full duplex!!

To be honest, I had so many of these type of bugs with FortiGate, I am really getting sick and tired of them… And not to mention the speed and ability of their TAC support, it’s slow and unhelpful most of the time.

So my solution is to set the connection between the FortiGate and Cisco/Linksys switch to 100half, that seems to fix the problem.

Cheers,
Dan

]]> By: Giuliano http://www.108.bz/posts/it/fortigate-cisco-layer-2-woes/comment-page-1/#comment-2400 Giuliano Fri, 03 Dec 2010 09:03:01 +0000 http://www.108.bz/?p=103#comment-2400 Dear Dan, I had the issue while router and firewall were directly attached via a crossover cable. I'm pretty sure that using fixed speed/duplex on both devices would've solved it but I had no access to the router. Did you do that? I'd follow these steps: - Turn off auto-negotiation and use fixed (say) 100Mbps/Full Duplex. On each of the router's ethernet ports. On each of the firewall's ethernet ports. If there are switches in between, on the switches' ports where firewall/router are connected. - Make sure that the issue really lies on the firewall facing side of the router by pinging the router's WAN interface from outside of the Company. - Disconnect a firewall from a router and put a switch between them (or, if there already was one, use a different brand of switch). See if that makes lock-ups go away. I'd be glad if you'll keep me posted about the issue. I noticed that FortiGate auto-negotiation doesn't play well with ProCurve switches, also (serious performance issues, but no lock-ups). But in any of the cases I faced, turning auto-negotiation off has been enough. ciao, -- Giuliano Dear Dan,

I had the issue while router and firewall were directly attached via a crossover cable. I’m pretty sure that using fixed speed/duplex on both devices would’ve solved it but I had no access to the router. Did you do that? I’d follow these steps:
- Turn off auto-negotiation and use fixed (say) 100Mbps/Full Duplex. On each of the router’s ethernet ports. On each of the firewall’s ethernet ports. If there are switches in between, on the switches’ ports where firewall/router are connected.
- Make sure that the issue really lies on the firewall facing side of the router by pinging the router’s WAN interface from outside of the Company.
- Disconnect a firewall from a router and put a switch between them (or, if there already was one, use a different brand of switch). See if that makes lock-ups go away.

I’d be glad if you’ll keep me posted about the issue. I noticed that FortiGate auto-negotiation doesn’t play well with ProCurve switches, also (serious performance issues, but no lock-ups). But in any of the cases I faced, turning auto-negotiation off has been enough.

ciao,

Giuliano

]]> By: Dan Huang http://www.108.bz/posts/it/fortigate-cisco-layer-2-woes/comment-page-1/#comment-2399 Dan Huang Fri, 03 Dec 2010 08:09:08 +0000 http://www.108.bz/?p=103#comment-2399 I believe we are having the same problem here... We got about 90 FortiGate 60 firewalls and many Cisco & Cisco/Linksys switches, once awhile the link between the FG firewall and Cisco switch would lock up, and the only fix it to restart the Cisco router. This is causing me a serious headache as I am the only network administrator that look after network devices. I tried changing to different speed and duplex when the switch port is locked up but it doesn't help at all. Also when it is locked up, I turned on the sniffer on the FortiGate firewall, it can't 'see' anthing as if nothing is on the other end... I just can't believe I have to deal with these type of problem and it seems like a basic network 101 but can't be solved... Please do let me know if you have any further information. Much appriciated! Cheers, Dan I believe we are having the same problem here…
We got about 90 FortiGate 60 firewalls and many Cisco & Cisco/Linksys switches, once awhile the link between the FG firewall and Cisco switch would lock up, and the only fix it to restart the Cisco router. This is causing me a serious headache as I am the only network administrator that look after network devices.
I tried changing to different speed and duplex when the switch port is locked up but it doesn’t help at all. Also when it is locked up, I turned on the sniffer on the FortiGate firewall, it can’t ‘see’ anthing as if nothing is on the other end…

I just can’t believe I have to deal with these type of problem and it seems like a basic network 101 but can’t be solved…

Please do let me know if you have any further information. Much appriciated!

Cheers,
Dan

]]>