Hi

Thanks for your reply

Interface GigabitEthernet1/0/22 and GigabitEthernet1/0/23 have these configuration

Switchport mode access

Switchport access vlan 65

Thanks

Tazio

GigabitEthernet1/0/22

P2P VPN is it L2VPN or L3VPN ??

Hi ,

This is just a layer 2 Pt2Pt connection

Thanks

Tazio

then check the policy in both FW it can drop the icmp packet. 
also check arp in both FW, are the ARP show IP-MAC in both FW??

Hi,

Thanks for your reply.

There is a little progress as I spoke with the Fortinet guy and he had GW missing so he added the GW and now Fortinet can ping directly connected Cisco SW but the 2 Cisco SWs are still not talking.

To answer to your question

1. Yes Vlan 65 are on both Sw

2. Yes it is a typo in fact the ip are 172.16.30.3 and 172.16.30.6 and these has been added as GW on Fortinet.

3. unfortunately still not working

4. Firewall GW were missing and now it has been added as 172.16.30.3 and 172.16.30.6

5 Yes this is a layer 2 pt2pt connection

6 Yes I am using int vlan 65 with ip address .Please see show run attached

7 SW to Sw cannot ping

8. SW to Firewall is now pingable after GW have been added.

Thanks

Tazio

as per your diagram it was Gig 1/0/24

your config show as below : where is Gig 1/0/24 config

Cisco SW Site 1#sh run
!
interface GigabitEthernet1/0/22
switchport access vlan 65
switchport mode access
!
interface Vlan65
ip address 172.16.30.3 255.255.255.248
!
interface GigabitEthernet1/0/22
switchport trunk allowed vlan 65
switchport mode trunk

==========

can you also post show cdp neigh (from both the switches ?)

Sorry again typo when editing the file

Cisco SW Site 1#sh run
!
interface GigabitEthernet1/0/22
switchport access vlan 65
switchport mode access
!
interface Vlan65
ip address 172.16.30.3 255.255.255.248
!
interface GigabitEthernet1/0/24
switchport trunk allowed vlan 65
switchport mode trunk

Please see sh cdp nei attached. Can see neigh from one side only

Thanks

Tazio

we do not see the switches forming CDP, Maybe it was not enabled not sure.

post below output from bot the switches :

show vlan

show IP interface brief 

show span vlan 65

show interface gig 1/0/24 (from switch site1)

show interface ten 2/1/1 (from switch site2)

show run | in hostname

Hi ,

Thanks for your prompt reply.

For ease of understanding I labelled the SW in site 1 as Cisco SW Site 1 but the hostname is BGP1

Same thing for site 2 I labelled it as Cisco SW Site 2 but the hostname is COLOSW_STACKED.

I am attaching 2 files for the output of the commands you requested.

Thanks

Tazio

here is my observation :

show vlan  (COLOSW_STACKED)

I do not see your Ten 2/1/1 part of the VLAN. 65

65 PT-2-PT active Gi1/0/23, Gi2/0/22, Gi2/0/23

other part :

BGP1 Gi 1/0/24 is Ethernet port

COLOSW_STACKED  - Ten 2/1/1 have SFP port ? (1000BaseLX SFP)

So that is not possible to connect Ethernet to SFP (until you have any media converters between)

So as per I know you have some Physical connection issue here - 

If you look at the spantree output ( both switch for VLAN 65 acting as root )

BGP1#sh span vlan 65

VLAN0065
Spanning tree enabled protocol rstp
Root ID Priority 32833
Address 084f.f984.d200
This bridge is the root

COLOSW_STACKED#sh span vlan 65

VLAN0065
Spanning tree enabled protocol rstp
Root ID Priority 32833
Address 10b3.d62f.de80
This bridge is the root

Suggestions :

check Ten 2/1/1 config, make sure configured correctly trunk and with VLAN 65

check - show interface trunk 

shutdown Ten 2/1/1 see what ports going down.

by the way what model switches is this ? what IOS code running ? ( I am sure some where I see Cat 9300 please clarify)

Hi ,

Thanks for your reply and trying your best to help me.

Int Te2/1/1 is a trunk port and hence will not show up in sh vlan .

Yes there is a media converter on the BGP1 site. The ISP hands over the circuit to be in a media converter on an Ethernet port and I take over from that port to my Cisco Sw.

Seems correct configuration on int Te2/1/1

COLOSW_STACKED#sh run int te2/1/1
Building configuration...

Current configuration : 98 bytes
!
interface TenGigabitEthernet2/1/1
switchport trunk allowed vlan 65
switchport mode trunk
end

I did shut down int Te2/1/1 and it goes admin down which means this is the correct port.

Both Sw are 9300 Sw and IOS is CAT9K_IOSXE

Thanks

Tazio

Yes there is a media converter on the BGP1 site. The ISP hands over the circuit to be in a media converter on an Ethernet port and I take over from that port to my Cisco Sw.  - make sense I was expected this.

i mean when you shutdown Ten 2/1/1 (on BGP1 Gi 1/0/24 go down ?)  - I think it will not go down due to media converter between.

can you post show IP route , show run | in routing , show IP arp (from both the switches)

Something looks not right in the connection I guess.

For testing - make it as access port  - and vlan 65 - Ten 2/1/1 

Connect Laptop on BGP1  side directly to laptop Ethernet and assisng IP address 172.16.30.3 and ping 172.16.30.6  (is this works ?)

So your connection will be like this :

Laptop (172.16.30.3)----Ethernet--Mediaconverter------ISP-------Te 2/1/1