Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
vpatil
Staff
Staff

Created on ‎08-16-2024 06:47 AM Edited on ‎10-21-2024 03:41 AM By Moderator

Article Id 333820

Troubleshooting Tip: 4-way handshake failure on G series FortiAP (23xG, 43xG)

Description This article describes steps to minimize the 4-way handshake failure rate on G series FortiAP (23xG, 43xG).
Scope FortiAP (23xG, 43xG) v7.2 and v7.4.
Solution
  • Bug #99086: The user is not able to connect at times, no response for 1/4 message 4-way handshake timeout.
  • Bug #1024137: No EAPOL in OTA, FortiAP deauth's with 4-way handshake timeout

 

  1. FortiAP would send an M1 message to the user, but the user does not respond with M2 hence 4-way handshake times out:

 

Line 160: date="2024-08-14" time="15:01:31" id=7402964072737545500 bid=114877032 dvid=1116 itime=1723636890 euid=85441 epid=104 dsteuid=3 dstepid=3 logver=702071577 logid="0104043575" type="event" subtype="wireless" level="notice" srcip="0.0.0.0" action="client-deauthentication" msg="Client 04:7b:cb:c7:0b:68 de-authenticated." logdesc="Wireless client deauthenticated" sn="FP231GTF23099GBG" user="N/A" group="N/A" reason="4-Way Handshake timeout" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 signal=0 radioid=2 radioband="802.11ax-5G" stamac="04:7b:cb:c7:0b:68" encryption="AES" mpsk="N/A" eventtime=1723636891393156317 authserver="N/A" tz="+0300" snr=0 devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"
Line 161: date="2024-08-14" time="15:01:31" id=7402964072737545339 bid=114877032 dvid=1116 itime=1723636890 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702071577 logid="0104043651" type="event" subtype="wireless" level="warning" action="WPA-2/4-key-msg" msg="AP received 2/4 message of 4-way handshake from client 04:7b:cb:c7:0b:68" logdesc="Wireless client sent 2/4 message of 4 way handshake" sn="FP231GTF23099GBG" user="N/A" reason="Reserved 0" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 radioid=2 stamac="04:7b:cb:c7:0b:68" encryption="AES" eventtime=1723636890651888590 authserver="N/A" remotewtptime="1738.981987" tz="+0300" devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"
Line 162: date="2024-08-14" time="15:01:31" id=7402964072737545338 bid=114877032 dvid=1116 itime=1723636890 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702071577 logid="0104043650" type="event" subtype="wireless" level="warning" action="WPA-1/4-key-msg" msg="AP sent 1/4 message of 4-way handshake to client 04:7b:cb:c7:0b:68" logdesc="AP sent 1/4 message of 4 way handshake to wireless client" sn="FP231GTF23099GBG" user="N/A" reason="Reserved 0" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 radioid=2 stamac="04:7b:cb:c7:0b:68" encryption="AES" eventtime=1723636890651871140 authserver="N/A" remotewtptime="1738.976217" tz="+0300" devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"

FortiGate wpad 7 logs would show: 


Line 249: 2024-08-14 14:58:19 hostapd_get_hash_psk sta's psk cannot be found in hashtable
Line 721: 2024-08-14 14:58:20 hostapd_get_hash_psk sta's psk cannot be found in hashtable
Line 1148: 2024-08-14 14:58:20 hostapd_get_hash_psk sta's psk cannot be found in hashtable

 

  1. For diagnosis, collect FortiGate station-logs, WiFi Event logs, klog on the affected FortiAP, and FortiGate wpad 7 logs.
  2. The first potential fix is added via #990868 on the new 7.4.3 build0680 GA: Resolved issues.
  3. The second potential fix is added via #1024137 on the new 7.4.4 GA release:
    Resolved issues 7.4.4
  4. If the issue remains on the new v7.4.4 GA. Collect FortiAP Q6 Memory dump, fap-tech, klog, and latest FortiGate config.
  5. Try the following potential WIDS workaround on the new FortiAP 7.4.4 GA:

 

  • Create a new WIDS profile on the FortiGate:

 

config wireless-controller wids-profile
    edit "nobgscan"
        set sensor-mode both
        set ap-scan enable
        set ap-bgscan-disable-schedules "always"
    next
end

 

  • On the FortiAP profile, disable the DDscan. Assign the WIDS profile 'nobgscan' for the radio1, 2, and 3 in the FortiAP profile.
1080
Suggest New Article
Article Feedback
Comments
jcamacho1
Staff
Staff
‎08-22-2024 08:16 AM

Thank you for this article!!

 

Best regards.

Jonathan C.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.