• Bug #99086: The user is not able to connect at times, no response for 1/4 message 4-way handshake timeout.
• Bug #1024137: No EAPOL in OTA, FortiAP deauth's with 4-way handshake timeout

1. FortiAP would send an M1 message to the user, but the user does not respond with M2 hence 4-way handshake times out:

Line 160: date="2024-08-14" time="15:01:31" id=7402964072737545500 bid=114877032 dvid=1116 itime=1723636890 euid=85441 epid=104 dsteuid=3 dstepid=3 logver=702071577 logid="0104043575" type="event" subtype="wireless" level="notice" srcip="0.0.0.0" action="client-deauthentication" msg="Client 04:7b:cb:c7:0b:68 de-authenticated." logdesc="Wireless client deauthenticated" sn="FP231GTF23099GBG" user="N/A" group="N/A" reason="4-Way Handshake timeout" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 signal=0 radioid=2 radioband="802.11ax-5G" stamac="04:7b:cb:c7:0b:68" encryption="AES" mpsk="N/A" eventtime=1723636891393156317 authserver="N/A" tz="+0300" snr=0 devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"
Line 161: date="2024-08-14" time="15:01:31" id=7402964072737545339 bid=114877032 dvid=1116 itime=1723636890 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702071577 logid="0104043651" type="event" subtype="wireless" level="warning" action="WPA-2/4-key-msg" msg="AP received 2/4 message of 4-way handshake from client 04:7b:cb:c7:0b:68" logdesc="Wireless client sent 2/4 message of 4 way handshake" sn="FP231GTF23099GBG" user="N/A" reason="Reserved 0" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 radioid=2 stamac="04:7b:cb:c7:0b:68" encryption="AES" eventtime=1723636890651888590 authserver="N/A" remotewtptime="1738.981987" tz="+0300" devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"
Line 162: date="2024-08-14" time="15:01:31" id=7402964072737545338 bid=114877032 dvid=1116 itime=1723636890 euid=3 epid=3 dsteuid=3 dstepid=3 logver=702071577 logid="0104043650" type="event" subtype="wireless" level="warning" action="WPA-1/4-key-msg" msg="AP sent 1/4 message of 4-way handshake to client 04:7b:cb:c7:0b:68" logdesc="AP sent 1/4 message of 4 way handshake to wireless client" sn="FP231GTF23099GBG" user="N/A" reason="Reserved 0" ssid="travel2public" ap="Finnair-s2111522-ap-0.6.1" vap="travel2public-t" security="WPA2 Personal" channel=64 radioid=2 stamac="04:7b:cb:c7:0b:68" encryption="AES" eventtime=1723636890651871140 authserver="N/A" remotewtptime="1738.976217" tz="+0300" devid="FG3K0FTB23900169" vd="FINNAIR_INS" devname="finnair-s2109513-fw1"

FortiGate wpad 7 logs would show: 

Line 249: 2024-08-14 14:58:19 hostapd_get_hash_psk sta's psk cannot be found in hashtable
Line 721: 2024-08-14 14:58:20 hostapd_get_hash_psk sta's psk cannot be found in hashtable
Line 1148: 2024-08-14 14:58:20 hostapd_get_hash_psk sta's psk cannot be found in hashtable

2. For diagnosis, collect FortiGate station-logs, WiFi Event logs, klog on the affected FortiAP, and FortiGate wpad 7 logs.
3. The first potential fix is added via #990868 on the new 7.4.3 build0680 GA: Resolved issues.
4. The second potential fix is added via #1024137 on the new 7.4.4 GA release:
   Resolved issues 7.4.4
   
5. If the issue remains on the new v7.4.4 GA. Collect FortiAP Q6 Memory dump, fap-tech, klog, and latest FortiGate config.
6. Try the following potential WIDS workaround on the new FortiAP 7.4.4 GA:

• Create a new WIDS profile on the FortiGate:

config wireless-controller wids-profile
    edit "nobgscan"
        set sensor-mode both
        set ap-scan enable
        set ap-bgscan-disable-schedules "always"
    next
end

• On the FortiAP profile, disable the DDscan. Assign the WIDS profile 'nobgscan' for the radio1, 2, and 3 in the FortiAP profile.