FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fsaleh
Staff
Staff
Description
When trying to authorize FortiAPs (APs), this error occurs when the maximum number of APs that can be connected to that FortiGate device has been reached.
Scope
We are using FGT60D as an example in this case. Every FortiGate model has its own number of maximum values of Access Points that can be connected.

When trying to authorize the 6th access point on the FGT60D, an error "Value conflict system settings" is seen.

It means you have reached the maximum value for Access Points connected in "normal mode" 

To increase the number of FortiAPs associated with a FortiGate, change the operational mode of some of the APs in "remote mode".  Changing FortiAPs to "remote mode" does place some restrictions on these FortiAPs (see "Considerations" below).

60D has a maximum number of 10 APs.   But only 5 of those may operate in normal mode.

Considerations -- SSID Types & AP Mode

An SSID can be tunnel mode or local-bridge mode 
A tunnel mode SSID can be assigned to an AP in normal mode but not remote mode. 
A local-bridge mode can be assigned to an AP in both normal mode and remote mode. 

a) tunnel-mode SSID

A tunnel mode SSID will work with a software switch. 
A software switch allows you to bridge a SSID in tunnel mode to the LAN subnet, so they share an IP range.

b) local-bridge mode SSID

A local-bridge mode SSID does not require a software switch 
- by default the wireless client takes its IP from the subnet of the AP, unless the SSID has a VLAN id associated with it. 
- if an SSID in local-bridge mode has a VLAN id associated with it then the clients get their IP address from the VLAN. 

Solution

To create the bridged WiFi and wired LAN configuration, you need to configure the SSID with the Local Bridge option so that traffic is sent directly over the FortiAP unit’s Ethernet interface to the FortiGate unit, instead of being tunneled to the WiFi controller. 

Tunnel is by default.

Enter the following command from the CLI: 
config wireless-controller vap 
edit "homenet_if" set vdom "root" 
set ssid "homenet" set local-bridging enable 
set security wpa-personal set passphrase "Fortinet1" 
end 

config wireless-controller wtp 
edit FAP22B3U11005354 
set admin enable 
set vaps "homenet_if" 
set wtp-mode: normal <-----Bridge or Normal 
end 


Contributors