Ok hold on, this is going to be hard to believe and to describe. I have troubleshooted a lot and cannot find out where the problem lies. Suddenly I had this vague problems, of sites not loading, DNS not resolving, etc. Maybe related to upgrading to 7.0.10 or 7.0.11. Maybe not. What does not work (but had always worked like this - for years):I have a (existing) hardware switch "lan" with an SSID bridged to that (no VLANs).The IP address is on the lan switch and the SSID is bridged.Created a new test policy, top placed any/any allow, no filtering, NAT to internet.When I connect a mobile to this SSID and start roblox (don't ask - this is a prio 1 for days now) it does not load any game. What does work:I have created a (new) test vlan (99) with an IP address on it, and a test SSID bridged to that vlan (99), connected to the lan switch as my FortiAPs reside there.Created a new test policy, under the top placed any/any allow, no filtering, NAT to internet.When I connect a mobile to this SSID and start roblox it does load games.EDIT: Roblox is "the" way of proving/testing above. As described a lot more is not working smoothly, but a refresh of the page will do. Roblox seems to be a lot more "picky" in the coneection stability. Both "networks" are giving out the same DNS servers.I have 6 VLANS connected via the lan hardware switch which all work(ed) well for years. Of which 3 have an IP adress on the VLAN interface and 3 are connected in a software switch with a port.--> this can also be a separate topic because since this week I discovered the Fortigate does not allow me to select a VLAN anymore as a member of a softwareswitch (!), but this used to work and still works. Nothing to find in any release notes... I cannot find any mentioning of any change in behavior. Also I have no active subscription on this device (81E) and thus cannot call support. Is there anything I can do to (more) narrow down this issue?

New Member

Question

No reliable connection with hardware lan switch and bridged ssid

Forum|Forum|3 years ago
March 30, 2023
15 replies
16127 views

Ok hold on, this is going to be hard to believe and to describe. I have troubleshooted a lot and cannot find out where the problem lies. Suddenly I had this vague problems, of sites not loading, DNS not resolving, etc. Maybe related to upgrading to 7.0.10 or 7.0.11. Maybe not.

What does not work (but had always worked like this - for years):

I have a (existing) hardware switch "lan" with an SSID bridged to that (no VLANs).
The IP address is on the lan switch and the SSID is bridged.
Created a new test policy, top placed any/any allow, no filtering, NAT to internet.
When I connect a mobile to this SSID and start roblox (don't ask - this is a prio 1 for days now) it does not load any game.

What does work:

I have created a (new) test vlan (99) with an IP address on it, and a test SSID bridged to that vlan (99), connected to the lan switch as my FortiAPs reside there.
Created a new test policy, under the top placed any/any allow, no filtering, NAT to internet.
When I connect a mobile to this SSID and start roblox it does load games.

EDIT: Roblox is "the" way of proving/testing above. As described a lot more is not working smoothly, but a refresh of the page will do. Roblox seems to be a lot more "picky" in the coneection stability.

Both "networks" are giving out the same DNS servers.

I have 6 VLANS connected via the lan hardware switch which all work(ed) well for years. Of which 3 have an IP adress on the VLAN interface and 3 are connected in a software switch with a port.

--> this can also be a separate topic because since this week I discovered the Fortigate does not allow me to select a VLAN anymore as a member of a softwareswitch (!), but this used to work and still works. Nothing to find in any release notes...

I cannot find any mentioning of any change in behavior. Also I have no active subscription on this device (81E) and thus cannot call support.

Is there anything I can do to (more) narrow down this issue?

sanderlAuthor

New Member

Some extra information added. 2 files of traces.

Trace Logging (failing):

dpaste/a8SOU (Python)

phone (192.168.1.175) connected to lan hardware switch failing to start roblox (DNS servers are on same subnet as phone).

Trace Logging (succesfull):

dpaste/kcoba (Python)

phone (192.168.99.2) connected to vlan99 succeeding to start robox. (DNS servers on lan, thus extra DNS traffic appended).

I really hope on any help :-).

gfleming

Staff

Can you try disabling NPU offloading for the non-working policy/policies?

https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/328620/config-firewall-policy

set auto-asic-offload disable

sanderlAuthor

New Member

Hi Graham, thank you for taking the time to look into my issue. I will look into your suggestion.

I do have a question about that. Why do you think it is the "policy"? Because I have created a new "simple" policy which has the same behavior as the existing policy.

to be clear:

on the lan hardwareswitch an any any allow to internet is enabled which does not alllow roblox to work.

on the vlan the same policy is in which does allow roblox to work.

EDIT: Tried you suggestion on the "faulty" policy 42. No change in behavior.

I do run 7.0.11, the documentation does to 7.2.4 and when selecting 7.0.11 it changes to local in policy...?

sanderlAuthor

New Member

Additional information.

I created a new (empty) hardwareswitch (hsw10) with port 10.

Connected a fortiap to port 10.

bridged an ssid to it.

added a new subnet on hsw10.

Added policy to internet.

Roblox works...

I have checked all settings of the network, compared all cli config.

There is really nothing to be seen that might play in here.

Any more help greatly appreciated.

sanderlAuthor

New Member

Sorry to chime in again. i could really use some help as most of my users are on lan (hardwareswitch) and all experience this unreliable traffic... wired / wireless (bridged). Please advise.

gfleming

Staff

If this is urgent I would suggest getting in touch with TAC.

Can you provide a screen shot of the interface configurations?

Can you also do a packet capture between a working connection and a non-working connection and upload those for analysis?

sanderlAuthor

New Member

Hi Graham, thanks for helping out. I have no active subscription on this device so I would not be able to contact support right?

Attached screenshot: lan+hws.png

Some remarks about the screenshot:

same DNS server is no difference (now used google), tried some with LLDP on/off, currently the port 10 is not connected to the AP anymore

Packet capture is given here:

Trace Logging (failing):

https://dpaste.org/a8SOU

phone (192.168.1.175) connected to lan hardware switch failing to start roblox (DNS servers are on same subnet as phone).

Trace Logging (succesfull):

https://dpaste.org/kcoba

phone (192.168.99.2) connected to vlan99 succeeding to start robox. (DNS servers on lan, thus extra DNS traffic appended).

Or did you mean else?

gfleming

Staff

Yes I meant an actual packet capture like from Wireshark from the client itself.

Can you also show your SSID and bridge configurations?

sanderlAuthor

New Member

When I have some more time I will capture.

Both ssids are on the same ap... of which the left is bridged directly on the lan switch (with an ip address and dhcp scope). the test99 is bridge into 99.

I had this running for around 3 years or so, on many FortiOS versions and just recently these vague problems started.

In the mean time, as I discovered a "newly" created hardwareswitch with an ssid bridge to that (with a new vlan) does work, I an now in the phase of migrating everything to a new harwareswitch and vlans.

It is a hassle due to the "refs" connected to everything and CLI is a too big risk to change...

so I would really hope to find out why this suddenly startedand is so clearly releated to my "old" hardwareswitch. --> it is not only wifi traffic having problems, also fixed (wired) devices connected directly to this hardwarswitch have vague conneciton problems.

Luckily Roblox is the most "picky" one with which I can easily prove something is wrong when conected to lan. And again, all is right on test99...

Attached but ssid configs:

gfleming

Staff

What model FortiGate is this?

Have you confirmed you are not hitting any capacity limits? What does your CPU, Session COunt, Mem usage look like?

sanderlAuthor

New Member

Its an 81E (still is). No problem with new HW switch and other ssid. Its used in a small home setup.

So no... no limit hit I hope and cannot see.

Can you please re read the thread :grinning_face:

Mostly ~400-600 sessions

gfleming

Staff

So your problems have all been solved since moving to the new HW switch?

sanderlAuthor

New Member

Since this issue appeared right around updating to 7.0.10 or 7.0.11... could this perhaps possibly be a bug? Have you looked at the packet captures?

gfleming

Staff

IMO you either have to move everything over to the new HW switch and/or downgrade to 7.0.10 and see what happens. Might make most sense to try downgrade to 7.0.10. It still doesn't really make sense to me how that would have this effect on things but you never know!

And yes I looked at the packet captures please re-read the thread.......

sanderlAuthor

New Member

You are right. It is hard to follow in the forum type with all the "rabbit hole threads".

I do not dare to downgrade as I read in the release notes not all will work then..,

sanderlAuthor

New Member

Sorry, I am not sure what config you are now asking for... In my opinion it does not really matter. Its just the existing harewareswitch (lan) that introduced the problems after upgrading to 7.0.11. But please let me know.

BTW: This was not exactly the setup at the start of the topic. but the bridging of the main ssid to the lan switch is not changed (and does still not work correctly in 7.0.11 while is does in 7.0.10 (directly).

gfleming

Staff

I"m just asking for the software switch configuration that you were talking about that worked on FOS 7.0.10 and not on 7.0.11.

Also just curious why do you have two hardware switches? Why not just have all VLANs under one switch and connect your switch uplink(s) to it?

Also just so you know the config you have in place will result in all L2 traffic transmitting through the FGT—it might cause some resource contention. You might be better off doing a STP ring topology with one of the uplinks blocked. That's for another day, though....

Does the FAP work in the managed switch with all SSID and bridging scenarios? Is it only a problem on the unmanaged switch?

When you say you are testing the SSID by bridging directly to the hw switch, how are you accomplishing that?

sanderlAuthor

New Member

Here you go sir:

<I"m just asking for the software switch configuration that you were talking about that worked on FOS 7.0.10 and not on 7.0.11.>

This is a snap of the config where tunneled ssids were connected to a softwareswitch together with a port.

config system switch-interface     edit "IP CAM Segment"         set vdom "root"         set member "IPSecMon" "IPSecMon2" "port3"     next     edit "IOTSOL"         set vdom "root"         set member "IOTSOLar" "VLAN20-IOTSOL"     next     edit "Isolated-LN"         set vdom "root"         set member "Isolated-Labour" "VLAN27-IsoLN"     next end config system interface     edit "wan1"         set vdom "root"         set mode dhcp         set allowaccess ping         set type physical         set alias "Internet"         set monitor-bandwidth enable         set role wan         set snmp-index 1         set dns-server-override disable     next     edit "wan2"         set vdom "root"         set mode dhcp         set allowaccess ping fgfm         set type physical         set role wan         set snmp-index 2     next     edit "dmz"         set vdom "root"         set type physical         set role lan         set snmp-index 3     next     edit "ha"         set vdom "root"         set type physical         set snmp-index 4     next     edit "port1"         set vdom "root"         set type physical         set snmp-index 41     next     edit "port2"         set vdom "root"         set type physical         set snmp-index 32     next     edit "port3"         set vdom "root"         set type physical         set snmp-index 17     next     edit "port4"         set vdom "root"         set type physical         set snmp-index 42     next     edit "port5"         set vdom "root"         set type physical         set snmp-index 43     next     edit "port6"         set vdom "root"         set type physical         set snmp-index 18     next     edit "port7"         set vdom "root"         set type physical         set snmp-index 36     next     edit "port8"         set vdom "root"         set type physical         set snmp-index 12     next     edit "port9"         set vdom "root"         set type physical         set snmp-index 11     next     edit "port10"         set vdom "root"         set type physical         set snmp-index 10     next     edit "port11"         set vdom "root"         set type physical         set snmp-index 31     next     edit "port12"         set vdom "root"         set type physical         set snmp-index 33     next     edit "modem"         set vdom "root"         set mode pppoe         set status down         set type physical         set snmp-index 5     next     edit "naf.root"         set vdom "root"         set type tunnel         set src-check disable         set snmp-index 30     next     edit "l2t.root"         set vdom "root"         set type tunnel         set snmp-index 44     next     edit "ssl.root"         set vdom "root"         set type tunnel         set alias "SSL VPN interface"         set snmp-index 6     next     edit "IP CAM Segment"         set vdom "root"         set ip 192.168.3.254 255.255.255.0         set allowaccess ping         set type switch         set device-identification enable         set role lan         set snmp-index 8     next     edit "IOTSOL"         set vdom "root"         set ip 192.168.4.254 255.255.255.0         set allowaccess ping         set type switch         set device-identification enable         set lldp-transmission enable         set role lan         set snmp-index 21     next     edit "Isolated-LN"         set vdom "root"         set ip 192.168.27.1 255.255.255.0         set allowaccess ping https http         set type switch         set device-identification enable         set lldp-transmission enable         set role lan         set snmp-index 15     next     edit "lan"         set vdom "root"         set ip 192.168.1.254 255.255.255.0         set allowaccess ping https ssh http fgfm fabric ftm         set type hard-switch         set stp enable         set device-identification enable         set role lan         set snmp-index 7         set auto-auth-extension-device enable     next     edit "2.4G"         set vdom "root"         set type vap-switch         set alias "b"         set role lan         set snmp-index 16     next     edit "5G"         set vdom "root"         set type vap-switch         set alias "b"         set role lan         set snmp-index 19     next     edit "IOTSOLar"         set vdom "root"         set type vap-switch         set role lan         set snmp-index 20     next     edit "LoopbackSSLVPN"         set vdom "root"         set ip 192.168.40.254 255.255.255.0         set allowaccess ping         set type loopback         set role lan         set snmp-index 35     next     edit "Isolated-Labour"         set vdom "root"         set type vap-switch         set role lan         set snmp-index 39     next     edit "VLAN27-IsoLN"         set vdom "root"         set role lan         set snmp-index 40         set interface "lan"         set vlanid 27     next     edit "VLAN20-IOTSOL"         set vdom "root"         set role lan         set snmp-index 13         set interface "lan"         set vlanid 20     next end

<Also just curious why do you have two hardware switches? Why not just have all VLANs under one switch and connect your switch uplink(s) to it?>

Because I am now in the process where I am getting rid of the above. And as described many times before :) I have created a new hardwareswitch to where I have moved the softwareswitch IP interfaces. the "leftovers" are still connected to the old hardwareswitch and yes they need to move to the new HW-switch. But this needs proper timing and then I need to move all APs and other wired connections from "lan" to "HW-Switch".

I know, 1st things first.

<Does the FAP work in the managed switch with all SSID and bridging scenarios? Is it only a problem on the unmanaged switch?>

FAPs worked for 5 years via unmanaged switch, with the "main SSID" bridged to vlan 0 (the hardware "lan" switch. Up until v 7.0.11 there it broke.

Another FAP connected to the managed switch also works well, but obviously via another management vlan and via trunks etc. --> not the issue now.

<When you say you are testing the SSID by bridging directly to the hw switch, how are you accomplishing that?>

So:

Don't ask too complex questions... the problem is very simple and it only is there in 7.0.11. In 7.0.10 it was gone directly. Nothing fancy here...

BTW, this forum software is dragon.

gfleming

Staff

Can you show the configs for the VAPs too?

I'm asking complex questions because to be honest it's not clear when you describe things. For example, you say refer to things like 'the hardware "lan" switch'. Are you talking about the Netgear physical switch or the hardware switch on the FortiGate named "lan"? If it's the FortiGate lan hardware switch then "bridging the AP directly to the hw switch" IMO makes more sense to just say you are bridging to VLAN 1 (NOT 0!!) or in other words, the native VLAN.

And please confirm prior to this you were running on 7.0.10 for a long time and things were working? Or did you come from an even earlier OS release?

sanderlAuthor

New Member

So long: in all versions above worked. it only stopped in 7.0.11. and when reverting to 7.0.10 it works.

Again, I am talking here about plain simple bridging ssid (vlan 0!) default to the hardwareswitch (lan).

This firewall only goes back to 6.4.5. But the config was inherited from another Fortigate (60E) and goes back working up to even 5.4 I believe so... 6.0, 6.2, 6.4 then 7.0

I understand its not too clear. Its not easy to describe this.

I Only talk about fortigate when I talk about lan switch. My lan switch is called "lan" and it's a hardware switch.

See the screenshot. By default the is no vlan (0) when you create a bridge vlan. It just puts the taffic untagged on the wire. In the new situation indeed I have vlan 1 in my managed netgear, as a native vlan and there the ap is in the native vlan 1 to be managed. There I am going to create vlan 10 as my new "lan" segment (what is now the lan switch - on the fortigate)

BTW, I really appreciate you taking the time to help me. I hope al is now clear.

Please see the screen shot for the SSIDs... there you see vlan0 for the main ssid (bridged to the lan-switch, on the fortigate), this worked for years, but stopped (not totally but partially! read the roblox - and others problems) in 7.0.11

The VAPs:

config wireless-controller vap     edit "2.4G"         set ssid "24G"         set passphrase ENC nononsM1bSAVaNJKNfHw52IYfM1pJh4/u1oNRTiXQXVIJIxUq9KEPpt1clrIHhNKhnh7ZLuYBeYLm4tFfE+6etO/aojWnc4X6RwZoCLyNkWfpjw2CJ3LUOMVeLxOHQYj99u33yLy+5FgyBLfy7sVvrpOU/1DmugyxImEnUMbpMHuut7d7bo2QF2dBUx+9ovrlYEKw==         set local-bridging enable         set local-authentication enable         set schedule "always"         set alias "b"     next     edit "5G"         set ssid "5G"         set passphrase ENC nonoiscg43VFwt8JctrS9BJHccbXPb9JD38HsREFWK5cT+tzE9gxxT1j8FDB/AKltqZu3UAwExg9uR6F610wj2jEf8COryS1Iot7J58zquZtPRMEikA3dlymyMB9BDgxb2Q4j8AlXda4pHfvYOrID5YIdaC254aY+46wStayHAspaiDuJPOmxjTVpaYfOnFE9eA==         set local-bridging enable         set local-authentication enable         set schedule "always"         set alias "b"     next     edit "IOTSOLar"         set ssid "IOTSOL"         set passphrase ENC nononENOL4cTNikBamuySHDyGyfc55v0JNRyl92uD1NrsLP5hywsnthcIjqwd0hma8biipIE+jtMpf3EwkH/RwfLldFzFSuN7ZSqjv87yEpaN2CDOIOUn8fWjfH1ggv4/sGjVUerc9OesjZgVAYnEcxGko3rpjY6HOgJtwHLhE4lSSbjDD1dbKM/9rJIvN80N+FXg==         set schedule "always"         set quarantine disable     next     edit "IPSecMon"         set ssid "IPSecMon"         set passphrase ENC nonoZ5BKGsomx0olfkBUtkyYI/hH0sILJJC8RuhJqAulL/3sD/d88Qif10842CsFZXP142Z3MNEsBm/QdsbfozrcmGJj/fgZvrZl84yUQ4+EUAST/kQm8m6J6PJ43gWUoZRWukce/U9Ul9lK98nrIPeId9L/XGltA3vnqanIs5KyJ1adulUm/wZvsTBn3bXphjH1Q==         set schedule "always"         set quarantine disable     next     edit "IPSecMon2"         set ssid "IPSecMon2"         set passphrase ENC nonoFuUQ90TvmAP2GUJRbebR8tCmMGxJYXwpIeP1m1vbfFfVcsZ71zEgGTmA+qUKOOSuYH9xkLw1PjH+dXYbBGCA84uOCByt1F8HjqQqGyUHPe4OVV7LstKpD85twmyrivlLfl0gN7M2Rl+I6gguiBKc4bR1rtG4KdTP92LVte1fJbialQYBTFyEIahSOllkQgwdHw==         set schedule "always"         set quarantine disable     next     edit "Isolated-Labour"         set ssid "Isolated-LN"         set passphrase ENC nonoQSKgf/QQzrxiB75TPQsHG7UyicR+lSE3kwXILUvT9ZlNRPlvff7wNoiyBa2bfdYMfgk7983SlhmFI+5IHkJ00Pj5Z2M1bkrloLA2weXZJf3zHc9kVmuoX9RWMZGp+47esd1tFIUGClj8EL/C+TUiSVW/V/aLEYr/3ErrBbpdKo1kqBi6mISB6ZwEZo9gekLcKw==         set schedule "always"         set quarantine disable     next end

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded