Description |
This article describes how to handle an issue that occurs when a FortiAP managed by FortiGate randomly goes offline and stays in its offline state until it is manually rebooted. At the time of the issue, FortiAP may not be reachable (with ping) from the FortiGate. Sometimes, the FortiAP loses its IP address.
This article describes the logs to gather to troubleshoot the issue. |
Scope |
FortiAP, FortiAP-U version 6.x and above.
NOTE: SSH access can be gained to the FortiAP from the FortiGate if the FortiAP is reachable. If not, use console access. |
Solution |
Collect the following logs and open a support ticket.
1) From the FortiGate, obtain the FortiGate config and serial number of the FortiAP showing as offline:
show system ha diag wireless-controller wlac -c wtp diagnose wireless-controller wlac -c wtp <AP-serial>
2) Run the following debug on the FortiGate in global mode. The syntax is as follows:
diag wireless-controller wlac wtp_filter <AP serial#> 0-<ap ip address>:5246 4
For example:
diag wireless-controller wlac wtp_filter FP112B3X13000193 0-192.168.6.8:5246 4
Additionally, run:
diagnose debug console timestamp enable
diagnose debug application cw_acd 0x7fff diag debug enable
After 5 minutes, stop the debug:
diag debug dis
diag debug reset
diagnose debug application cw_acd 0
3) On FortiAP, run 'don' and 'ton':
don
ton
Note: When don or ton are executed, the logs will start populating continuously, making it impossible to see typed commands. Be sure to type the command and press enter.
To stop the output:
- Type 'doff' and press enter - Type 'toff' and press enter.
4) Run the following:
cw_diag -c ha presult perf kp 128000 iwconfig ifconfig dmesg fap-tech top <---- Keep this command running for about 30 seconds, then press Ctrl+C to terminate.
5) Provide the cat /var/log/messages output from the AP (this step is only applicable for FortiAP-U). The syntax is as follows:
tftp -p -l /var/log/messages -r <File Name> <tftp server ip>
For example:
tftp -p -l /var/log/messages -r example123 172.30.145.39 example123 100% |*******************************| 4634k 0:00:00 ETA
Note: If access is lost to FortiAP, the above log can be collected by following the steps below: 1) Gain console access to the AP. 2) a) Check the static IP of cfg -s. It should be 192.168.1.2 c) Connect the laptop to the Lan2 Ethernet port of the AP. d) Check whether a connection could be established laptop. e) Ensure the tftp server (such as 3CDaemon) is installed on the laptop and can reach the AP.
For example, the default IP of the AP is 192.168.1.2 and the laptop has been assigned a static IP of 192.168.1.5.
Additionally, collect the following logs on both FortiAP and the FortiGate simultaneously:
1) On FortiAP:
diag sniffer any "port 5246 or port 5247" 6 0 a
Press Ctrl+c to stop the operation at any time.
2) Collect the AP uplink port mirror packet capture.
3) From the FortiGate CLI, run the following:
diag sniffer packet any "port 5246 or port 5247" 6 0 a
Press Ctrl+C to stop the operation at any time.
Let the above run for 3-5 minutes and stop the log afterwards. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.