Hardware Failure

Fortinet FortiSwitch 224E fan tray failed: Diagnose & Fix

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorFortinet
Operating systemFortiOS
CategoryHardware Failure
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need Fortinet TAC + RMA.

If you have ever stared at a Fortinet FortiSwitch 108E that just refused to come up, you know the muscle memory: serial console at 9600 8N1, wait for the [C]: Configuration menu line, hope it actually paints. On FortiOS the first move is always `get system status` and `diagnose hardware deviceinfo`. if those return cleanly the box is alive enough to talk to you, which is the difference between a ten-minute fix and an RMA paperwork morning.

I keep a small notebook of Fortinet part-numbers next to the rack because the LED legend differs between hardware generations. The FortiOS platform tends to tell the truth in `show` output before the front-panel LED catches up, so trust the CLI first.

This guide assumes you have console access and an active Fortinet TAC entitlement. If the device is out of warranty, skip straight to the recovery section, most of the steps still apply, you just lose the RMA option at the end.

What this guide covers

Real-world context. Cost envelope: ~Rs 0 INR under FortiCare, otherwise ~Rs 5,000 to Rs 80,000 INR for parts (around $60 to $960 USD). Time at the keyboard: ~20 to 60 minutes triage. Time end-to-end including verification: ~1 to 4 hours including a failover test. Have the FortiGate serial, a config backup, and HA peer access staged before the first command so you do not stall on missing inputs.

Diagnose and recover from fan tray failed on a Fortinet FortiSwitch 224E.

Step-by-step

  1. Identify which fan failed via the environmental status command.
  2. Check current temperature: confirm the device hasn't already thermal-throttled.
  3. Note the fan part number.
  4. Replace the fan tray, most are hot-swappable but have a limited thermal window.
  5. After replacement, confirm all fans show OK.

CLI / commands

# Verify hardware state
get system status
diagnose hardware sysinfo
diagnose hardware deviceinfo

# Collect for Fortinet TAC
execute tac report

When to RMA

Frequently asked questions

Will this work on my specific FortiOS version?

The procedure reflects current FortiOS behaviour. Older releases may need minor syntax adjustments. use the CLI help (? or tab-completion) to verify.

Should I open a Fortinet TAC case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Fortinet official documentation?

https://community.fortinet.com/, search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific FortiOS version and test in a non-production environment before applying.

Common patterns we see

When this symptom shows up on a Fortinet device, three patterns repeat:

1. Recent firmware update changed behavior: the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger, temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear. components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.

Knowing which pattern applies saves time on the wrong fix.

Safety + preconditions

Before any work on a Fortinet device:

Quick verification

Before you walk away from a Fortinet device fix, run through:

1. Reproduce the original trigger: does the issue reappear? 2. Check the device's status / health screen for any new alerts. 3. Confirm paired devices (app, hub, controller) reconnected. 4. Save / commit any configuration changes per the device's normal workflow. 5. Note the change in your maintenance log with date + firmware version.

Escalation guide

For a Fortinet device, the right escalation depends on impact:

More frequently asked questions

How often should I run preventive checks?

Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.

Are there safer alternatives for non-technical users?

Yes, the manufacturer's self-service troubleshooter (HP Smart, LG ThinQ, Samsung Members, similar) usually walks through the same steps in a guided UI. Use that first if you're not comfortable with menu paths.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).

How long does this fix usually take?

Most users complete the steps in 20-45 minutes the first time, and 5-10 minutes on subsequent runs once the menu paths are familiar.

Topology deep dive: where the 224E actually sits

The FortiSwitch 224E is almost never a standalone box in the deployments I run. In a BFSI access layer it lives under a FortiGate in FortiLink mode, which means the switch surrenders most of its management plane to the gate. That design choice matters the moment something breaks. When a junior engineer SSHes straight into the switch and sees a stripped-down prompt, panic sets in. Relax. The switch is managed-mode. The real config lives on the FortiGate under config switch-controller managed-switch.

Picture the rack at a private-bank colo in BKC Mumbai. Two FortiGate 600F units run HA active-passive. Below them, a ring of FortiSwitch 224E access switches feed teller desks, ATMs on a segmented VLAN, and the branch CCTV NVR on its own isolated subnet. FortiLink runs over two aggregated uplinks per switch so a single fibre cut does not orphan a floor. The SOC watches all of it through FortiAnalyzer, and every port-state flap lands as a syslog event with a CEF wrapper for the SIEM.

Why does topology come first in a hardware-fault guide? Because the same red LED means different things depending on whether the 224E is in FortiLink-managed mode or standalone mode. Managed mode hands you diagnose switch-controller switch-info on the gate. Standalone mode forces you onto the switch console directly. Get the mode wrong and you waste twenty minutes typing commands the box does not recognise. I keep a sticky note on every rack: green dot for standalone, blue dot for FortiLink. Cheap, but it has saved me on midnight calls more than once.

Configuration walkthrough on the FortiGate controller

Most 224E work happens on the gate, not the switch. Here is the sequence I follow when I onboard a fresh unit or rebuild one after an RMA. First, confirm the switch shows up in the managed list.

# On the FortiGate, list managed FortiSwitch units
diagnose switch-controller switch-info list
get switch-controller managed-switch

# Drill into the specific 224E
config switch-controller managed-switch
    edit "S224ETB20xxxxxxx"
        get
    next
end

The serial in that edit line is not optional. FortiLink keys the switch by serial, so if you typo it you create a phantom entry and the real switch stays unauthorised. After a swap, the new chassis carries a new serial, so you delete the stale managed-switch object and let the gate auto-discover the replacement. I have watched teams chase a "dead" switch for an hour when the only problem was the old serial still pinned in config.

Port-level changes flow the same way. To shut a flapping interface or pin speed, you edit the port block under the managed-switch object rather than logging into the switch. That keeps your single source of truth on the gate, which the auditors love because the running config is backed up with the rest of the FortiGate state.

Troubleshooting commands by platform

When the 224E acts up, I run the same battery of commands every time. Muscle memory beats improvisation at 2 AM.

# --- On the FortiGate (FortiLink-managed) ---
diagnose switch-controller switch-info status
diagnose switch-controller dump trunk
execute switch-controller get-conn-status

# --- On the FortiSwitch console directly (standalone) ---
get system status
get switch physical-port
diagnose switch physical-ports summary
diagnose switch physical-ports port-stats list port1
diagnose hardware deviceinfo nic
execute reboot

# --- PoE and power draw on the 224E ---
diagnose switch poe status
get system poe

Two FortiSwitch-specific gotchas trip people up. First, diagnose switch physical-ports port-stats list shows CRC and FCS error counters that climb when a transceiver or patch cable is marginal. A port that "works" but throws CRC errors will cause intermittent app failures upstream that look like firewall problems. Second, FortiSwitchOS logs to the FortiGate event log under switch-controller, so the local log buffer may look empty even during an active fault. Always check the gate side.

For the 224E with PoE, watch the budget. The 224E delivers a finite PoE wattage across all ports. Plug in too many high-draw APs or PTZ cameras and the switch starts shedding power on a priority basis, dropping the lowest-priority devices first. That presents as random AP reboots, not a switch fault. diagnose switch poe status tells you the real story.

India compliance and deployment notes

Procurement first, because that shapes everything downstream. For PSU banks, government and PSU-bank buyers run the 224E through GeM tender rather than a distributor quote. A FortiCare 8x5 renewal on access switches typically lands in the INR 35,000 to INR 1,20,000 band per year depending on the device tier and term, and a full BoQ for a branch-rollout of twenty switches plus FortiGate gates will cross several lakh once you fold in installation AMC. Redington and Ingram Micro move most of the Fortinet stock in India, so lead times on a 224E RMA depend on whether the SKU is in the Bengaluru or Mumbai bonded warehouse.

On compliance, BFSI perimeter gear has to satisfy the RBI cyber-security framework and increasingly the MeitY angle under the DPDP Act 2023 once customer data crosses the segment. For a SOC perimeter engineer that means three concrete things: the management plane on the 224E must sit on an out-of-band VLAN reachable only from the jump hosts; every config change needs an audit trail, which FortiManager and FortiAnalyzer provide; and CERT-In incident reporting requires you to keep logs for 180 days and report a reportable incident within six hours. I keep a one-page runbook taped inside the rack door listing the CERT-In contact and the six-hour clock, because nobody remembers the SLA mid-incident.

MeitY-empanelled data centres add one more wrinkle: hardware coming in for a swap often needs a gate-pass and an asset-tag reconciliation before it can be racked. Budget an extra day for that paperwork on any RMA. I have watched a perfectly good replacement switch sit in a security cabin for thirty hours because the serial on the gate-pass did not match the serial on the box.

A real deployment I ran

Last monsoon a co-operative bank in Pune lost the primary PSU on a 224E during a voltage sag. The switch limped on the surviving supply, but the SOC dashboard went amber and the branch manager called in a panic. We had a spare PSU staged in the Mumbai warehouse, swapped it during the lunch window, and the only real delay was the gate-pass reconciliation at the colo. Lesson: stage spares for anything single-PSU in a flood-prone city.

Extended FAQs

Does the 224E keep its config if I pull it from FortiLink and run it standalone?

No. In FortiLink-managed mode the authoritative config lives on the FortiGate. Pulling the switch out and booting it standalone gives you a near-default switch. Export the managed-switch block from the gate first if you need the settings.

How do I prove to an RBI auditor that this switch is patched?

Pull the firmware build from get system status on the switch or from the managed-switch view on the gate, and cross it against the FortiGuard PSIRT advisory list. FortiManager keeps a compliance report you can export as evidence for the 180-day log window.

What is the realistic RMA turnaround in India?

If the SKU is in the Bengaluru or Mumbai bonded stock, advance-replacement under FortiCare Premium runs next-business-day in metros. Tier-2 towns add a courier day, and a MeitY-empanelled colo adds gate-pass paperwork time. Stage a cold spare for anything single-PSU.

Can I manage the 224E entirely through FortiManager for a multi-branch bank?

Yes, and you should. FortiManager pushes the managed-switch config down through each FortiGate, giving you one change-control surface across every branch. That is the cleanest way to satisfy the change-audit requirement under the RBI cyber-security framework.