FortiAP CAPWAP DTLS no connection

Forum|Forum|12 years ago
February 6, 2014
8 replies
20763 views

I' m configuring a demo for a client of a FortiAP-14C connecting to a FortiGate 60C across the internet from a remote workers home to their office. They would like to roll out this solution to all their remote workers. The FortiGate 60C is running 5.0.5 build0252 and the FortiAP-14C has version 5.0 build060. I can' t get DTLS working between the two devices. I' ve set the wtp-profile on the FG to dtls-enabled and configured the AP to use DTLS. The access point connection status shows it as connecting and never changes. If I set both ends to clear text the connection is established after a few seconds and works just fine. Have any of you come across this problem before? Have I missed something important?

romanr

New Member

After configuring the dtls-enabled on the AP and also setting dtls-tls on the Fortigate (this must be done via the CLI!!!) - you have to reboot the AP and then it normally works!

Paul_DeanAuthor

Visitor III

Thanks romanr! I enabled DTLS via the cli and tried a reboot of the AP. I could not see a restart icon in the FAP gui so had to power it off then on. I will have another look today. Do you know if you can enable split tunneling with these FAPs the same way you can with the SSLVPN client? The customer would like internet traffic to use the local link and not traverse the tunnel.

romanr

New Member

Do you know if you can enable split tunneling with these FAPs the same way you can with the SSLVPN client? The customer would like internet traffic to use the local link and not traverse the tunnel.

No this is not possible ... and actually doesn' t make sense from a security point of view...

Bromont_FTNT

Staff

May be a good idea to open a support ticket to look at the DTLS issue.

AndreaSoliva

New Member

Hi DTLS is not supported in this case you are using which means over the LAN interfaces. Support is given from: FortiOS 5.0.6 FortiAP 5.0.7 If you deactive DTLS on the controller you will see that the conncetion comes up. As soon as you activate DTLS the connection will go down: # config wireless-controller wtp-profile # edit [Name of Profile] # set dtls-policy [" dtls-enabled" or " clear-text" ] # end Tested by myself with 60D as 14C! After upgrade to mentioned release works fine. Fortinet Sophia confirms NO Support for DTLS below mentioned release. kind regards Andrea

Bromont_FTNT

Staff

The DTLS connection should take place even on lower firmware but LAN port bridging will fail.

romanr

New Member

FortiOS 5.05 and FortiAP 5.06 does also work fine with DTLS .... on the 11c and on the 14C. We got dozens of them without any real issues...

AndreaSoliva

New Member

Hi sorry if we have a misunderstanding: DTLS is not working below the mentioned FortiOS for FGT and FAP if DTLS is used over LAN bridging which means: # config wireless-controller wtp-profile # edit [Name of profile] # config lan # set port-mode offline # end Possible is: offline bridge-to-wan bridge-to-ssid This means: # config wireless-controller wtp-profile # edit [Name of profile] # config lan # set port-mode bridge-to-ssid # set port-ssid [Name of SSID] # end # set dtls-policy [ dtls-enabled | clear-text] # end This means finally as soon as you activate on 14C and/or 28C the LAN port and you configure bridge-to-ssid and you activate DTLS you have to use: FortiOS 5.0.6 FortiAP 5.0.7 Otherwise it does not work because it is not supported! Sorry to be not clear enough in my first message. Have fun Andrea

Paul_DeanAuthor

Visitor III

Thank you Andrea and everyone for your help! I was scratching my head for a while there :)

Paul_DeanAuthor

Visitor III

I had another opportunity to test this last night. Upgraded the FG to 5.0.6 and the AP to 5.0.7. Set DTLS on both. No connection. Rebooted the AP, reset and reconfigured it. No connection. Set to " clear-text" again and the connection came up. Went to bed grumpy.

Had another look this morning. Deleted and recreated the config on the FG. Still no joy. Went into the " WiFi Controller->Managed Access Points->Managed FortiAPs" section to edit the FAP-14C settings. Changed the AP profile from " Automatic" to the profile I' d created. The AP then connected with a DTLS link! There was only 1 profile that was suitable for the FortiAP-14C and that was being picked up when " clear-text" was set. Not so for DTLS. Not sure why? It' s working now and the client has placed their order! Thanks again for all the assistance.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded