AP-Fail

Fortinet Support got back to me and confirmed the bug.

"Dear Customer,
   Thanks for contacting fortinet. I am looking into this ticket and will be happy to assist you with it. 

With regards to the issue you are seeing, this is a known issue tracked under bug 0955764, where fap 221Es are losing connection to fgt on 7.4.2/7.4.3.  Engineering has looked into this issue and they have been able to root cause. The issue will be addressed in 7.4.4 fortigate/fortiOS release. ETA for 7.4.4 is around 3rd week of April, 2024.

Engineering has suggested either of the below workarounds for now.

1 Downgrade of the fgt to 7.4.1 release.
2  OR rebooting the APs which are seeing the issue to bring the APs back online.

Please let me know for anything.

Thanks and regards,"

Interesting thing is of the 9 APs I have attached to the Fortigate cluster, only about 1/2 of them keep dropping off and have to be rebooted.  I've increased the timeout on the Fortigate and have checked the physical layer for any issues which appear to be fine.  All the APs are the same model (221E) so I'm curious as to why only 1/2 drop off.  I don't think it's traffic either because when they do, it's usually when no one is around to connect to them.  i.e. the middle of the night.

Thanks! So glad I found this thread. We've been having the exact same issue with our 224Es. Every day I come in, and several of them are offline. I think I'll wait for the new FortiOS rather than downgrade.

One thing that has helped me is creating an automation notification for when the AP "leaves" and "joins" so I get an alert when it happens.  If I happen to be remote I can log into the POE switch and reset (or turn off then on) the POE for the port of the AP affected and that essentially reboots my APs.  I do have a couple APs that are on a non-poe switch using injectors so those have to be manually (unplug, plug in) rebooted.

hope they come out with the updated firmware soon.

Hi Mike, i am the Author of the community article you mentioned.

Those values are examples of what happens when you change it, not a suggestions.

suggestions are follows

In summary, to speed up FortiAP reconnections:

1) Use the default values on these timers where possible.

2) Use manual controller discovery and manual IP addressing on the APs.

It is no longer required to change these timer settings from their default values on modern high speed, high bandwidth networks.

If FortiAP failures and disconnections occur with the following message...

'ECHO REQ is missing' and 'Control message maximal retransmission limit reached'

... And the related APs are deployed as local FortiAPs (they are on the same campus, typically in the same building, with gigabit speed links or better), consider investigating for Network issues or FortiAP related issues before attempting to tune up wireless controller timers and global settings. The default settings are recommended for most deployments.

Read the following article to understand how to diagnose FortiAP related issues:

https://community.fortinet.com/t5/FortiAP/Technical-Tip-How-to-interpret-FortiWiFi-or-FortiAP-variou...

References

https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/138620/wireless-controller-timers

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/717332/wireless-controller-timers

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/214787/wireless-controller-global

https://community.fortinet.com/t5/FortiAP/Technical-Tip-How-to-interpret-FortiWiFi-or-FortiAP-variou...

https://docs.fortinet.com/document/fortiap/7.0.4/fortiwifi-and-fortiap-configuration-guide/65088/for...

Interesting to note:  7.4.4 has been out and there is no mention of bug ID 0955764 in the release notes.  I chatted with support and they said that engineering must not have fix the issue however after applying 7.4.4 to my main cluster I haven't had a 221E AP disconnect.  It's been almost 2 weeks and so far, so good.