Description
This article describes how to improve FortiAP reconnection time in the event of failover or link failures.
Scope
Fortigate devices running 6.0, 6.2, 6.4, 7.0 and 7.2.X FOS releases.
All FortiAP devices compatible with FortiOS (FortiAP B, C, E, F, U series, FortiGate compatibility mode).
Solution
Management sessions from FortiAP are not replicated between HA members, which means that when the maximum value for lost keep-alive packets is reached on the management tunnel (max-retransmit), FortiGate declares the session terminated by time out.
AP FAIL messages become visible on the FortiGate wireless event log and some wifi diagnose message menus similar to the following will appear:
'ECHO REQ is missing' and 'Control message maximal retransmission limit reached'
These messages imply that the keep alive packets 'ECHO REQ (FGT)' and 'ECHO RESPONSE (FAP))' were not successful or complete. In combination with the max retransmission limit being reached, this indicates that the communication between the FortiGate and the AP is suffering difficulties. The controller subsequently resets the AP due to too many re-transmissions occurring.
FortiAP reconnection times are affected by the following settings on FortiGate wireless controller:
# config wireless-controller global
set max-retransmit {integer} Maximum number of tunnel packet retransmissions (0 - 64, default = 3). range [0-64]
As well as by the following timer:
# config wireless-controller timers
set echo-interval {integer} Time between echo requests sent by the managed WTP, AP, or FortiAP (1 - 255 sec, default = 30). range [1-255]
Consider an example where the FortiGate Wireless controller has changed these values from the default settings to the following:
# config wireless-controller global
set max-retransmit 15
# config wireless-controller timers
set echo-interval 100
In this example, the wireless controller sends keep-alive packets every 100 seconds. Once 15 of these are dropped, it terminates the session. It would therefore take up to 1500 seconds (25 minutes) for an AP to recognize that the FortiGate is no longer responding.
Some old documents (FortiOS 6.0 and below) suggested to increase this setting to deal with challenging network conditions like very narrow bandwidth, high packet loss and high latency links, such as facing on satellite links.
Additionally, there is an another wireless controller timer to consider:
# config wireless-controller timers
set discovery-interval
discovery-interval Time between discovery requests (2 - 180 sec, default = 5). integer Minimum value: 2 Maximum value: 180
Changes to default values can be discovered using the following command on the FortiAP CLI. For example:
# wcfg
WTP Configuration
name : FP221EXXXXXXX
loc : N/A
ap mode : thin AP
fmvap : FGT80EXXXXXXXX,(c922b90b,23bed6e9,1),1800,0
....
echo-interval : 31 <---- configured
.....
max-retransmit : 4 <---- configured
dc-dead-interval : 155 <---- calculated (estimated offline time before attempting a new discovery)
discovery-interval : 5
discovery time for an ap = echo interval * max retransmission + (Number of attempts of discovery 6 * discovery interval)
In this case, the time will be 155s, which is up to approximately 3 minutes to reconnect to the new active FortiGate once this box is fully operational.
This is because the following parameter is in use in the FortiAP configuration:
AC_DISCOVERY_TYPE:=0 <---automatic discovery
AC_IPADDR_1:=192.168.5.15
AC_IPADDR_2:=
It will therefore bounce the discovery process on the FortiAP as follows, waiting 5 seconds between discovery trials:
1(static) → 2(dhcp) → 3(dns) → 7(forticloud) → 5(multicast) → 6(broadcast)
In summary, to speed up FortiAP reconnections:
1) Use the default values on these timers where possible.
2) Use manual controller discovery and manual IP addressing on the APs.
It is no longer required to change these timer settings from their default values on modern high speed, high bandwidth networks.
If FortiAP failures and disconnections occur with the following message...
'ECHO REQ is missing' and 'Control message maximal retransmission limit reached'
... And the related APs are deployed as local FortiAPs (they are on the same campus, typically in the same building, with gigabit speed links or better), consider investigating for Network issues or FortiAP related issues before attempting to tune up wireless controller timers and global settings. The default settings are recommended for most deployments.
Read the following article to understand how to diagnose FortiAP related issues:
https://community.fortinet.com/t5/FortiAP/Technical-Tip-How-to-interpret-FortiWiFi-or-FortiAP-variou...
References
https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/138620/wireless-controller-timers
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/717332/wireless-controller-timers
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/214787/wireless-controller-global
https://community.fortinet.com/t5/FortiAP/Technical-Tip-How-to-interpret-FortiWiFi-or-FortiAP-variou...
https://docs.fortinet.com/document/fortiap/7.0.4/fortiwifi-and-fortiap-configuration-guide/65088/for...
