FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
This article describes the issue where Wi-Fi clients connected with tunnel-mode SSIDs are unable to pass traffic when 1+1 HA fails over to the secondary FortiGate. The article provides a step-by-step guide to resolve this issue by upgrading the FortiAP to v7.4.6:0754, v7.6.2:0965, and higher.
Scope
FortiAP, FortiGate.
Solution
After an HA 1+1 failover from the primary to the secondary FortiGate:
Existing Wi-Fi clients on tunnel-mode SSIDs experience loss of Internet access and/or IP connectivity.
New connection attempts to the tunnel SSID fail (clients may stay “connected” at L2 but cannot pass traffic).
On FortiGate, EAP-Request frames are seen leaving, but no EAP-Response is received.
A wireless sniffer shows the client does reply (EAP-Response) but the AP does not forward the next EAP/EAPOL frames.
ARP from the client to the tunnel gateway is visible in the AP logs, but not on the AP uplink or the FortiGate.
Bridge-mode SSIDs continue to work as expected.
To resolve the issue where Wi-Fi clients connected with tunnel-mode SSIDs are unable to pass traffic when 1+1 HA fails over to the secondary FortiGate, follow these steps:
Identify the current version of the FortiAP and check if it is affected by the known issue.
Upgrade the FortiAP to v7.4.6:0754, v7.6.2:0965 and higher.
Test the failover scenario to ensure that Wi-Fi clients can connect to the tunnel mode SSIDs and pass traffic after the failover.
Refer to theFortiAP release notes 7.4.6 for more information on the resolved issues in v7.4.6:0754, v7.6.2:0965 and higher.
