This article describes how to handle an issue that occurs when a FortiAP managed by FortiGate randomly goes offline and stays in its offline state until it is manually rebooted. At the time of the issue, FortiAP may not be reachable (with ping) from the FortiGate. Sometimes, the FortiAP loses its IP address.
This article describes the logs to gather to troubleshoot the issue.
NOTE: SSH access can be gained to the FortiAP from the FortiGate if the FortiAP is reachable. If not, use console access.
Collect the following logs and open a support ticket.
1) From the FortiGate, obtain the FortiGate config and serial number of the FortiAP showing as offline:
show system ha
diag wireless-controller wlac -c wtp
diagnose wireless-controller wlac -c wtp <AP-serial>
2) Run the following debug on the FortiGate in global mode. The syntax is as follows:
diag wireless-controller wlac wtp_filter <AP serial#> 0-<ap ip address>:5246 4
diag wireless-controller wlac wtp_filter FP112B3X13000193 0-192.168.6.8:5246 4
diagnose debug console timestamp enable
diagnose debug application cw_acd 0x7fff
diag debug enable
After 5 minutes, stop the debug:
diag debug dis
diag debug reset
diagnose debug application cw_acd 0
3) On FortiAP, run 'don' and 'ton':
Note: When don or ton are executed, the logs will start populating continuously, making it impossible to see typed commands. Be sure to type the command and press enter.
To stop the output:
- Type 'doff' and press enter
- Type 'toff' and press enter.
4) Run the following:
cw_diag -c ha
top <---- Keep this command running for about 30 seconds, then press Ctrl+C to terminate.
5) Provide the cat /var/log/messages output from the AP (this step is only applicable for FortiAP-U). The syntax is as follows:
tftp -p -l /var/log/messages -r <File Name> <tftp server ip>
tftp -p -l /var/log/messages -r example123 172.30.145.39
example123 100% |*******************************| 4634k 0:00:00 ETA
Note: If access is lost to FortiAP, the above log can be collected by following the steps below:
1) Gain console access to the AP.
2) a) Check the static IP of cfg -s. It should be 192.168.1.2
c) Connect the laptop to the Lan2 Ethernet port of the AP.
d) Check whether a connection could be established laptop.
e) Ensure the tftp server (such as 3CDaemon) is installed on the laptop and can reach the AP.
For example, the default IP of the AP is 192.168.1.2 and the laptop has been assigned a static IP of 192.168.1.5.
Additionally, collect the following logs on both FortiAP and the FortiGate simultaneously:
1) On FortiAP:
diag sniffer any "port 5246 or port 5247" 6 0 a
Press Ctrl+c to stop the operation at any time.
2) Collect the AP uplink port mirror packet capture.
3) From the FortiGate CLI, run the following:
diag sniffer packet any "port 5246 or port 5247" 6 0 a
Press Ctrl+C to stop the operation at any time.
Let the above run for 3-5 minutes and stop the log afterwards.