Description
This article describes troubleshooting steps when it is impossible to get FortiAP connected to FortiGate.
Scope
Consolidated Troubleshooting for the FortiAP to get Online over FortiGate.
Solution
Before starting, make to have followed the step-by-step LAN Edge Deployment Guide as many of the basic issues will be addressed in this guide.
First Time installation of FortiAP Issues a Checklist.
Note:
If the FortiAP was online once it will show disconnected as per the below screenshot under managed FortiAPs. If the FortiAP was never online, it will not show the FortiAP.
CLI command and output that shows FortiAP offline:
cfg -s
fap-get-status
Steps and Actions:
- Check for the hardware platform, which shows the number of APs supported per the FortiGate Model: Fortinet Data sheets
Note:
The above link is just an example to find the appropriate FortiGate model and check for the number of FortiAP supported.
As per the support included in the specs sheet for the number of APs supported in tunnel mode or bridge mode. If tunnel mode capacity is over then it is necessary to change the WTP mode to remote.
config wireless-controller wtp
edit FAP22B3U11005354
set wtp-mode remote
set wtp-profile 220B_bridge
end
Note:
Remote mode only supports only local bridge mode SSIDs.
Related article:
If it is not supported.
Next Steps:
Try bringing up the FortiAP on FortiLanCloud or another FortiGate Firewall or ask him to talk to the sales or accounts team as no more FortiAP ssupported for the given FortiGate.
-
Check the cabling Issue and LED light status on the Access Points:
-
If the light status shows no cabling Issue, move to Step 3.
-
If the light status shows bad or suspect cabling Issues:
- Try changing the Cable.
- Try changing the Switch port if connected to the Switch.
- Try to use the well-known POE
-
Check for the compatibility of the firmware version on release notes and check for the platform profile on the FGT along with the supportability matrix.
URL for release notes: https://support.fortinet.com/Download/FirmwareImages.aspx
URL for the supportability matrix: https://docs.fortinet.com/product/fortiap/7.2
-
If the platform profile/FortiAP Model is available on the FortiAP profiles, move to Step 4.
-
If it is a FortiAP-U/Meru firmware:
Action:
Get the console access for the FortiAP.
Stop at uboot on FortiAP , when prompted:
Password: fap22b1!$
set_image_id fap_default
nvram save
savenv
reset
If not able to stop at uboot, let the FortiAP boot with the Meru image.On prompting for a password, use the Serial number as the password.
Use command <bootimg imageid 2> to boot with the FortiAP Image.
-
Make sure the FortiAP is not discovered on the cloud, if FortiAP is discovered on the cloud it will not come online on the FortiGate. Ask the user for a cloud account or wcfg output, look for AC_DISCOVERY_TYPE.
-
If FortiAP is on the Cloud.
Action:
Take the FortiAP serial number, contact Fortinet support, and get the FortiAP removed.
- If the FortiAP is discovered on the Cloud and the Customer wants to move it to the FortiGate Firewall, undeploy the AP from the Cloud and move it to the FortiGate.
- If FortiAP is not on Cloud, move to step 5:
- If the FortiAP is still not up, check for the country or region code of the FortiAP .
-
cw_diag -c all-countries
The following CLI command helps to view a list of the country and region codes, and regulatory domains supported by Fortinet:
- If the code is incorrect:
Action:
Ask the customer to talk to his sales and get the replaced AP with the correct country settings.
- Check whether C compatibility mode is needed or not. For any FortiAP with a serial number starting with FAPC, check for the below.
config wireless-controller setting
set fapc-compatibility {enable | disable}
end
- If AP is C-compatible:
Action: enable it.
- If FortiAP is not C-compatible:
Action: Do not change the default values.
- Make sure the FortiAP has an IP address.
- This can be validated on the DHCP monitor under the monitor tab in GUI.
- SSH or CLI access to FortiGate Firewall Terminal, check for the arp –a whether we are seeing the arp entry from the FortiAP .
- Check for reachability of the FortiAP/any other device from that port to the FortiGate interface on which the security fabric connection is enabled or the interface on which the customer intends to keep the FortiAP online using ping (make sure ping is enabled on that interface).
- If the link for L2, FortiAP should find FortiGate, refer to the link below: Discovery and authorization of APs
- If FortiAP does not connect to FortiGate.
Action:
Proceed to Step 10.
- If FortiAP does connect to FortiGate.
Action:
Issue is resolved.
- If the link for L3, manually configure AP to reach FortiGate: Advanced WiFi controller discovery
- If AP does not connect to FortiGate.
Action: Proceed to Step 10.
- If AP does connect to FortiGate.
Action: Issue resolved.
- If a FortiAP-U is not coming online and the Customer says the Power light is coming and going.
Action: Get the console Access of the FortiAP-U and we may see it is continuously crashing and not able to discover the FortiGate:
- Stop at uboot on FortiAP , when prompted:
Password: fap22b1!$
# set_image_id fap_default
# nvram save
# savenv
# reset
- If the above point did not help, then Stop at uboot on FortiAP , when prompted:
Password: fap22b1!$
# set_auto_learning off
# set_image_id meru_default
# nvram save
# savenv
# reset
- Let the AP boot with the meru image.
On prompting for a password, use the Serial number as the password.
Use command <bootimg imageid 2> to boot with the FortiAP Image.
- For any configuration issues, follow the below link: Connecting FortiAP
- Check for packets reaching the FortiGate using diag sniff for CAPWAP and see if the FortiGate is responding.
diagnose sniff packet <interface_name> “port 5246” 4
With this, it is possible to see the two-way communication of the FortiGate with the FortiAP.
- If no CAPWAP connection:
Action: Proceed to step 11.
- If CAPWAP connection:
Action: Issue resolved.
- Check for the AP console logs using wcfg to check the state of discovery or if the AP is going into a sulking state.
1(static) → 2(dhcp) → 3(dns) → 7(fortiapcloud) → 5(multicast) → 6(broadcast)
If it is stuck at one phase, contact L3 support to get the below logs.
diag wireless-controller wlac wtp_filter FP112B3X13000193 0-192.168.6.8:5246 2 <----- Replace the serial number and IP address of the FortiAP.
di de console timestamp en
di de application cw_acd 0x7ff
di de en
- Check for crash logs using the AP console.
kp
crash
cw_diag kernel-panic (Show the kernel panic output).
dmesg
cw_diag show all
diagnose wireless-controller wlac -c wtp (Shows the status of the AP).
- If kernel panic is seen in the output.
Action: Contact Fortinet Support
- If no kernel panic is seen.
Action: Proceed to step 13.
- If the already connected FortiAP goes offline from the FortiGate, checking the reason why the FortiAP became offline from FortiGate is necessary by using the below command. There will be a different article for AP, which was once online now disconnected.
diagnose wireless-controller wlac -c wtp
Example:
diagnose wireless-controller wlac -c wtp
-----------------------------WTP 1----------------------------
WTP vd : root
vfid : 0
id : FP433FTF20001356
uuid : 4eb674cc-728f-51ed-f368-4ff04362c41d
mgmt_vlanid : 0
region code : A
regcode status : valid
refcnt : 3 own(1) wtpprof(1) ws(1)
apcfg status : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
apcfg cmd details:
plain_ctl : disabled
deleted : no
image-dl(wtp,rst): yes,no
admin : enable
cfg-wtp-profile : FAP433F-default
override-profile : disabled
oper-wtp-profile : FAP433F-default
wtp-mode : normal
wtp-wanlan-mode : aggregate
cfg-apcfg-prof :
oper-apcfg-pro :
bonjour-profile :
wtp-group :
name :
location :
region-map :
pos-x : 0
pos-y : 0
ble-major-id : 0 (wtp: 0, grp: 0, prof: 0)
ble-minor-id : 0 (wtp: 0, prof: 0)
led-blink : disabled
led-state : enabled
led-schedules :
poe mode : auto(auto)
poe-mode-oper : auto
ext-info-enable : enabled
ip-frag-prevent : TCP_MSS
tun-mtu : 0,0
split-tunneling-acl-path : local
split-tunneling-local-ap-subnet : disabled
energy-efficient-ethernet : disabled
active sw ver : FP433F-v7.0-build0034
local IPv4 addr : 192.168.20.3
board mac : d4:76:a0:0b:8b:50
join_time : Tue Sep 5 11:04:50 2023
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Connected
image download progress: 0
last failure : 20 -- ECHO REQ is missing --> Reason for the FortiAP offline.
last failure param: N/A
last failure time: Tue Sep 5 10:59:44 2023
station info : 0/0
geo : World (0)
deployment : cfg platform-determined oper indoor
LAN :
rId : 3
cnt : 2
port 1 : mode offline(0)
port 2 : mode offline(0)
LLDP : enabled (total 0)
SNMP : disabled
WAN port authentication: none
WAN port 802.1x EAP method: all
Temperature in Celsius: 3 (50,50,49)
Capability :
local standalone : enabled
lan port : enabled
local switch : enabled
vlan : enabled
local bridge : enabled
DFS : enabled
timestamp offset : enabled
txpower percentage : enabled
wpa3 : enabled
station health : enabled
DTLS v1.2 : enabled
multiple time schedule : enabled
energy-efficient-ethernet : enabled
wan lan mode : enabled
led dark : enabled
kernel DTLS data : enabled
128-length passwd : disabled
internal wtp : disabled
IGMP Snoop : enabled
enhanced mpsk : enabled
vap acl singe mac : enabled
no rouge ap sta : enabled
vap acl range/wildcard mac : disabled
Radio 1 : AP
80211d enable: : enabled
country name : CA
country code : 5001
drma_manual_mode : ncf
radio_type : 11AX
channel list : 1 6 11
darrp : enabled
airtime fairness : disabled
bss color mode : Auto
bss color(actual): 0
opt antenna : None
txpower : high 23 low 10 tgt -70 (calc 23 oper 10 dBm)
beacon_intv : 100
rts_threshold : 2346
frag_threshold : 2346
ap scan : disable
ap scan passive : disabled
sensor mode : both
ARRP profile : arrp-default
WIDS profile : default
wlan 6 : venssid
max vaps : 8
base bssid : d4:76:a0:0b:8b:58
oper chan : 1
noise_floor : -95
chutil : enabled
oper chutil time : Fri Sep 15 13:20:59 2023 (age=0)
oper chutil data : 45,46,51,40,47, 50,52,46,37,36, 37,43,47,34,43 ->newer
station info : 0/0
Radio 2 : AP
80211d enable: : enabled
country name : CA
country code : 5001
drma_manual_mode : ncf
radio_type : 11AX_5G
channel list : 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 ...
darrp : enabled
airtime fairness : disabled
bss color mode : Auto
bss color(actual): 0
opt antenna : None
txpower : high 23 low 10 tgt -70 (calc 17 oper 10 dBm)
beacon_intv : 100
rts_threshold : 2346
frag_threshold : 2346
ap scan : disable
ap scan passive : disabled
sensor mode : both
ARRP profile : arrp-default
WIDS profile : default
wlan 6 : venssid
max vaps : 8
base bssid : d4:76:a0:0b:8b:60
oper chan : 36
noise_floor : -95
chutil : enabled
oper chutil time : Fri Sep 15 13:20:59 2023 (age=0)
oper chutil data : 31,37,33,31,38, 32,32,27,37,30, 30,30,32,32,28 ->newer
station info : 0/0
Radio 3 : Monitor
ap scan passive: enabled
sensor mode : both
auto suppress : enabled
fgscan rptintv : 15
spectrum analysis: scan only
ARRP profile : ---
WIDS profile : default
Radio 4 : Virtual Lan AP
max vaps : 0
base bssid : 00:00:00:00:00:00
station info : 0/0
Radio 5 : Not Exist
WAN/LAN stats :
: lan1 rx,tx bytes 764258258,6409351395 packets 2017554,8602021 errors 0,0 dropped 4,0
: lan2 rx,tx bytes 0,0 packets 0,0 errors 0,0 dropped 0,0
status :
uplink status :
lan1 carrier=1, speed=1000, duplex=full
lan2 carrier=0, speed=0, duplex=
According to the above example, the FortiAP went offline because of communication issues between FortiAP and FortiGate.
Collect the below output from the FortiAP CLI (Telnet or SSH) to get more information from the FortiAP perspective.
From FortiGate:
- To take ssh or telnet access to the FortiAP, make sure that it is allowed in the FortiAP profile. (Wifi & Switch Controller -> FortiAP Profiles, edit the 'respective profile' and allow 'SSH').
- Other Handy AP commands:
fap-tech
cfg -s
fap-get-status
cw_diag uptime
cw_diag sys-performance
iwconfig
diag_debug_crashlog read
cw_diag -c wtp-cfg
cw_diag -c radio-cfg
cw_diag -c vap-cfg
cw_diag kernel-panic
dmesg
rcfg
klog
