Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiKoala
Staff
Staff

Created on ‎10-28-2020 03:23 AM Edited on ‎03-16-2025 01:18 PM By Moderator

Article Id 189672

Technical Tip: Tunnel mode SSID users unable to access network when CAPWAP offload is enabled on FortiGate 90G/91G and 120G/121G HA cluster

Description


This article describes a known issue for CAPWAP offload in FortiGate NP7lite models (90G and 120G family) where the users connected to an SSID operating in Tunnel Mode are unable to send traffic on the wireless network.

Scope


FortiGate NP7lite HA cluster in active-passive mode.

All v7.0 versions, v7.2.10 and earlier, v7.4.5 and earlier.

Solution


There is a known issue ID# 1049471 with CAPWAP offload for wireless traffic using Tunnel SSID for some models and firmware versions. It is resolved in v7.2.11, v7.4.6, v7.6.1. See v7.2.11 Resolved Issues.

Matching the known issue:

Users connected to the SSID in tunnel mode receive a DHCP IP address, but access to the Intranet/Internet fails to work as expected.
When sniffers are run on the SSID interface, VLAN-tagged traffic is observed from the FortiAP, even though VLAN tagging is not configured on the SSID.

CAPWAParticle.png

Resolving the issue:

Upgrade the firewall cluster to v7.2.11, v7.4.6, v7.6.1 or later.


Workaround 1:


Disable capwap-offload on the FortiGate and restart the FortiGate cw_acd process:


config system npu
    set capwap-offload disable
end


Restart the cw_acd wireless controller process. Note that this command will briefly disconnect all FortiAPs from FortiGate.


execute wireless-controller restart-acd
This operation will reboot wireless controller daemon!
Do you want to continue? (y/n)y

 

Workaround 2:

 

Configure a non-zero VLAN tag in the SSID configuration. This manually sets an expected VLAN tag to resolve the issue with receiving the traffic.

 

config wireless-controller vap

edit <SSID name>

set vlanid 282 <- Enter any integer value between 2 and 4094.

next

end

 

Once the FortiAP retrieves the updated SSID configuration, FortiGate can receive the traffic on the SSID interface whether or not CAPWAP offloading is enabled.

The current configuration of the SSID on FortiAP can be retrieved by the 'vcfg' command.

 

FortiAP-03 # vcfg
-------------------------------VAP Configuration 2----------------------------
Radio Id 0 WLAN Id 1 Guest ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
vlanid=282, intf=wlan01, vap=0x1f7ad8b5, bssid=aa:aa:aa:bb:bb:bb

Labels:
8011
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.