This article describes how to handle an issue that occurs when a FortiAP managed by FortiGate randomly goes offline and stays in its offline state until it is manually rebooted. At the time of the issue, FortiAP may not be reachable (with ping) from the FortiGate. Sometimes, the FortiAP loses its IP address.

FortiAP, FortiAP-U version 6.x and above.

Note:

SSH access can be gained to the FortiAP from the FortiGate if the FortiAP is reachable. If not, use console access.

Collect the following logs and open a support ticket.

1. From the FortiGate, obtain the FortiGate config and serial number of the FortiAP showing as offline:

show system ha
show wireless-controller inter-controller

diag wireless-controller wlac -c wtp

diagnose wireless-controller wlac -c wtp <AP-serial>

2. Run the following debug on the FortiGate in global mode. The syntax is as follows:
   

diag wireless-controller wlac wtp_filter <AP serial#> 0-<ap ip address>:5246 4

For example:

diag wireless-controller wlac wtp_filter FP112B3X13000193 0-192.168.6.8:5246 4

Additionally, run:

diagnose debug console timestamp enable

diagnose debug application cw_acd 0x7fff  

diag debug enable

After 5 minutes, stop the debug:

diag debug dis

diag debug reset

diagnose debug application cw_acd 0

3. On FortiAP, run 'don' and 'ton':

don

ton

Note:

When don or ton are executed, the logs will start populating continuously, making it impossible to see typed commands. Be sure to type the command and press enter.

To stop the output:

• Type 'doff' and press enter.
• Type 'toff' and press enter.

4. Run the following:

cw_diag -c ha
cw_diag -c acs

presult

perf

kp 128000

iwconfig

ifconfig

dmesg

fap-tech

top <---- Keep this command running for about 30 seconds, then press Ctrl+C to terminate.

5. Provide the cat /var/log/messages output from the AP (this step is only applicable for FortiAP-U). The syntax is as follows:
   

tftp -p -l /var/log/messages -r <File Name> <tftp server ip>

For example:

tftp -p -l /var/log/messages -r example123 172.30.145.39

example123 100% |*******************************| 4634k 0:00:00 ETA

Note: If access is lost to FortiAP, the above log can be collected by following the steps below:

1. Gain console access to the AP.
2. Check the static IP of cfg -s. It should be 192.168.1.2
3. Assign the laptop a static IP in the same subnet as the AP IP. For example, 192.168.1.5/24.
4. Connect the laptop to the Lan2 Ethernet port of the AP.
5. Check whether a connection could be established laptop.
6. Ensure the TFTP server (such as 3CDaemon) is installed on the laptop and can reach the AP.

For example, the default IP of the AP is 192.168.1.2 and the laptop has been assigned a static IP of 192.168.1.5.

Additionally, collect the following logs on both FortiAP and the FortiGate simultaneously:

1. On FortiAP:
   

diag_sniffer any "port 5246 or port 5247" 6 0 a     

Press Ctrl+c to stop the operation at any time.

2. Collect the AP uplink port mirror packet capture.
3. From the FortiGate CLI, run the following:

diag sniffer packet any "port 5246 or port 5247" 6 0 a

Press Ctrl+C to stop the operation at any time. Let the above run for 3-5 minutes and stop the log afterward.