New Member

Question

Connected to AP but no internet connection

Forum|Forum|6 years ago
July 29, 2019
6 replies
70991 views

Hope someone can help me out with this issue. client are connected to the AP but no internet connection Icon on mobile showing with exclamation mark

Icon on computer showing yellow triangle

Issue is, it is connected for some time then suddenly lose internet connection and then after some time will be gain internet access again. or if you disconnect and connect again you will gain internet access again.

there is a DNS server installed on one of the site DC. main DC is in another country.

DNS setup is

DNS1: ISP DNS

DNS2: DNS server IP

i will be attaching full configuration.

Setup

AP1:

Radio 2.4: channel 1,11

Radio 5.0: channel 36

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi1,guest1

AP2:

Radio 2.4: channel 6

Radio 5.0: channel 40,48

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi2,guest2

AP3:

Radio 2.4: channel 1,11

Radio 5.0: channel 44

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi1,guest1

Config 29-07-19.txt

Dave_Hall

New Member

Hi Ralph.

Are these APs being controlled by a Fortigate device or connected directly to the cloud?

ralph_uyAuthor

New Member

Yes connected to Fortigate 60E

Dave_Hall

New Member

Assuming the 60E is acting as a wifi controller:

Check the "Wifi & Switch Controller->Managed APs" to confirmed the 60E still shows the APs connected. See if you can ping the AP's IP addresses.

Have someone on site check the status of the LEDs (pic is from a U421EV PDF):

Check the Monitor->WiFi Client Monitor" to see if there are any clients connected or connecting.

Check for DHCP IP pool exhaustion. Check the DHCP monitor for any IP conflicts.

Perform ping/traceroute tests (both to/from the 60E).

ralph.uy@mondiamedia.com wrote:
Yes connected to Fortigate 60E

U421EV LEDs.JPG

Epitaph91

New Member

I am having the same issues now... I will get clients that randomly get connected and are unable to access internet or if its a bridge no access to local resources.

I have about 35 WAPs that range from 221E's to 421E's and Fortinet had me dowgrade the code on my 421E's to support my firewall code 6.0.2 which made no difference.

sanderl

New Member

Hello, here exactly the same situation 60E fortiwifi, 3x 221C all latest fw... frequent wifi issues. Exclamation mark etc. Cabled works fine though. I have tried literally everything but just does not work. Currently rebooting APs and FW daily...

smartfoneaddict

New Member

Same issue with FortiWifi 40C and FP223 access point (all on latest firmware). Recently various devices connected to the AP will indicate that they do not have access to the Internet while remaining connected to the AP and all lights on the AP continuing to show green. Can find nothing in the logs. Disconnecting from the AP and reconnecting seems to fix it. But the fact that the disconnect happens nearly simultaneously on various devices and only appears to be resolved by disconnecting and reconnecting, makes it hard to believe that it is a client device side issue. (Still trouble shooting).

deanshomer

New Member

Having the same issues with clients disconnecting randomly. We have to reboot the APs every few hours to force client resets which is obviously less than ideal. Using FortiAP 221E in tunnel mode to Fortigate wifi controller. I have a support case opened with no resolution but will post back if anything comes from it.

Update: Found out that the CAPWAP packets were getting fragmented due to the tunneling over and IPSEC connection back to the controller. The solution for this particular problem is to adjust the tunnel MTU on the AP profile in order to avoid CAPWAP fragmentation.

BobSmith

New Member

deanshomer wrote:
Having the same issues with clients disconnecting randomly. We have to reboot the APs every few hours to force client resets which is obviously less than ideal. Using FortiAP 221E in tunnel mode to Fortigate wifi controller. I have a support case opened with no resolution but will post back if anything comes from it.

Update: Found out that the CAPWAP packets were getting fragmented due to the tunneling over and IPSEC connection back to the controller. The solution for this particular problem is to adjust the tunnel MTU on the AP profile in order to avoid CAPWAP fragmentation.

I have the same issue, would be interesting if you could post how you discovered the CAPWAP fragmentation? and what you adjusted the MTU too.

deanshomer

New Member

Basically stumbled upon the fragmentation issue while performing packet captures on an intermediate IPSEC router. I found packet fragmentation on the tunnel with the source IP of the AP. Once I realized that the already encapsulated CAPWAP packets were being fragmented due to tunnel MTU, I began to adjust the MTU on the AP profile so that the encapsulated packets would fit in the IPSEC tunnel. Started at 1450 and ended up at around 1400. You could also start low (1300) and work your way up until you start seeing fragmentation and then go back some.

This is only a fix if you have your AP in tunneled mode back to the wireless controller with an IPSEC tunnel in between. The tunneled CAPWAP packets need to fit in the IPSEC tunnel MTU to avoid fragmentation. The Fortigate wireless controllers cannot handle fragmented CAPWAP packets.

C_Hanley

New Member

Sorry to dig up an old comment, but we are running into this exact thing

2 SSIDS, 1 for guests, 1 for employees.

Guest one works fine, (internet access only, no internal resources)

employee SSID is intermittently not working for some users, (They can connect to the AP, but No internet access).

Fortigate managing (6) FortiAP 231F.

Fortigate->Fortiswitch->FortiAPs

Fortigate is acting as recursive DNS server with a zone setup as a shadow and forwarding to our Internal Primary/Secondary internal DNS server over ipsec tunnel to datacenter.

All was working fine, for about a year, then we upgraded firmware on fortigate/fortiswitch/foritap

Foritgate - 7.2.5

Fortiswitch - 7.4.0

FortiAP - 7.2.0

Any additional thoughts/suggestions?

Konrad1311

Visitor III

Hello
I know also that this is digging up old topic, but I have the same issue and I can't find how to manage this point.
Do you have any updates / fixes with this case

BR

Konrad

EKOutcomereferrals

New Member

Seeing the same on 100F - with system DNS set to internal servers

Setting 8.8.8.8 for Wi-Fi DNS would result in internet connections

for internal DNS:

add feature DNS Database

added DNS server to the Wi-Fi interface forwarded to system DNS

set Wi-Fi DHCP - default gateway and DNS server to interface IP

Konrad1311

Visitor III

Hello EK,
Thank you for your answer

Unfortunatelly, I had DNS set for internal with similar settings you suggesting but without any results.
When I set it for 8.8.8.8 nothing has changed
Issue still exist

EKOutcomereferrals

New Member

then I would check the Wi-Fi - Wan policy

I had a IP mismatch once due to making interface setting updates

& check the logs for such traffic

C_Hanley

New Member

In our case, when we experienced this intermittent issue, (which we think was after some firmware updates), we ended up reloading the FortiAP profile for each of the AP's, that did the trick. Switched it to the default one, saved, then went back in and changed it back to our company's AP profile.

Konrad1311

Visitor III

Hello
Thank you for your answers
I will try to make something with profile - but in my case trouble is a little bit different.
You can access internet from your computer, but when you will connect your phone there is no way to do it.
You can't even ping your default gateway which is in the same subnet.
You will get information "no route to host"

I created ticket in support, but I saw that this issue is common so I decided to ask community also

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded