| Description |
This article explains the reasons why the FortiGate interface and VLAN interface must be able to communicate with FortiAP. |
| Scope |
FortiGate. |
| Solution |
In order to configure the FortiGate interface to communicate with the FortiAP unit:
Case 1 - FortiAP directly connected to the FortiGate interface or through a switched connection:
Case 2 - FortiAP connected to a 'Managed FortiSwitch' or to a VLAN interface:
In cases where the FortiAP is connected to a FortiSwitch, the FortiLink already has the Security Fabric Connection enabled by default. However, it is important to check which interface of the FortiSwitch the FortiAP has connected to it and which VLAN is native on the FortiSwitch port. For example, if the FortiAP is connected to the port4 on the FortiSwitch and the native on port4 is 'AP_VLAN', it should go to the 'AP_VLAN' under the FortiLink. In the Administrative Access section, go to IPv4 and select the Security Fabric Connection (includes CAPWAP) checkbox.
di sniffer packet any " port (5246 or 5247)" 4 0 l interfaces=[any] filters=[ port (5246 or 5247)] 2024-07-26 08:50:43.404127 AP-vlan in 10.8.8.2.38687 -> 10.8.8.8.5247: udp 52 CAPWAP Keep Alive 2024-07-26 08:50:43.404172 AP-vlan in 10.8.8.2.38687 -> 10.8.8.8.5247: udp 60 2024-07-26 08:50:43.404246 AP-vlan out 10.8.8.8.5247 -> 10.8.8.2.38687: udp 30 CAPWAP Keep Alive 2024-07-26 08:50:43.404254 fortilink out 10.8.8.8.5247 -> 10.8.8.2.38687: udp 30 CAPWAP Keep Alive 2024-07-26 08:50:43.404260 a out 10.8.8.8.5247 -> 10.8.8.2.38687: udp 30 CAPWAP Keep Alive
diag wireless-controller wlac -c wtp -------------------------------WTP 1---------------------------- WTP vd : root vfid : 0 id : FP423ETF19000383 uuid : 23e97f70-b3b5-51ed-40bd-824a85c5d53c mgmt_vlanid : 0 region code : A regcode status : valid refcnt : 3 own(1) wtpprof(1) ws(1) apcfg status : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0 apcfg cmd details: plain_ctl : disabled deleted : no image-dl(wtp,rst): yes,no admin : enable cfg-wtp-profile : FAP423E-default override-profile : disabled oper-wtp-profile : FAP423E-default wtp-mode : normal wtp-wanlan-mode : wan-only cfg-apcfg-prof : oper-apcfg-pro : bonjour-profile : wtp-group : name : location : region-map : pos-x : 0 pos-y : 0 ble-major-id : 0 (wtp: 0, grp: 0, prof: 0) ble-minor-id : 0 (wtp: 0, prof: 0) led-blink : disabled led-state : enabled led-schedules : poe mode : auto(auto) poe-mode-oper : auto ext-info-enable : enabled ip-frag-prevent : TCP_MSS tun-mtu : 0,0 split-tunneling-acl-path : local split-tunneling-local-ap-subnet : disabled energy-efficient-ethernet : disabled active sw ver : FP423E-v6.4-build0481 local IPv4 addr : 10.8.8.2 board mac : e8:1c:ba:96:19:78 join_time : Fri Jul 26 08:35:28 2024 mesh-uplink : ethernet mesh hop count : 0 parent wtp id : connection state : Connected image download progress: 0 last failure : 0 -- N/A last failure param: last failure time: N/A station info : 0/0 geo : World (0) deployment : cfg platform-determined oper indoor LAN : rId : 2 cnt : 2 port 1 : mode offline(0) port 2 : mode offline(0) LLDP : enabled (total 1) local port : lan1 chassis id : mac e8:1c:ba:3a:e1:a6 sys name : S108EP5918008242 sys description : FortiSwitch-108E-POE v7.4.2,build0801,231207 (GA) capability : Bridge Router port id : port4 port description : port4 MAU oper type : 1000BaseTFD - Four-pair Category 5 UTP, full duplex mode ip : 169.254.1.2 vlan id : N/A SNMP : disabled WAN port authentication: none WAN port 802.1x EAP method: all Capability : local standalone : enabled lan port : enabled local switch : enabled vlan : enabled local bridge : enabled DFS : enabled timestamp offset : enabled txpower percentage : enabled wpa3 : enabled station health : enabled DTLS v1.2 : enabled multiple time schedule : enabled energy-efficient-ethernet : enabled wan lan mode : enabled led dark : enabled kernel DTLS data : enabled 128-length passwd : disabled internal wtp : disabled IGMP Snoop : enabled enhanced mpsk : enabled vap acl singe mac : enabled no rouge ap sta : enabled vap acl range/wildcard mac : disabled Radio 1 : AP 80211d enable: : enabled country name : US country code : 841 drma_manual_mode : ncf radio_type : 11N channel list : 1 6 11 darrp : disabled airtime fairness : disabled txpower : 100% (calc 25 oper 25 max 25 dBm) beacon_intv : 100 rts_threshold : 2346 frag_threshold : 2346 ap scan : disable ap scan passive : disabled sensor mode : disabled ARRP profile : --- WIDS profile : --- wlan 0 : iMessage max vaps : 8 base bssid : e8:1c:ba:96:19:80 oper chan : 11 noise_floor : -95 chutil : enabled oper chutil time : Fri Jul 26 08:54:13 2024 (age=9) oper chutil data : 12,19,12,17,17, 23,21,14,14,15, 26,17,20,16,15 ->newer station info : 0/0 Radio 2 : AP 80211d enable: : enabled country name : US country code : 841 drma_manual_mode : ncf radio_type : 11AC channel list : 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 ... darrp : disabled airtime fairness : disabled txpower : 100% (calc 18 oper 18 max 18 dBm) beacon_intv : 100 rts_threshold : 2346 frag_threshold : 2346 ap scan : disable ap scan passive : disabled sensor mode : disabled ARRP profile : --- WIDS profile : --- wlan 0 : iMessage max vaps : 8 base bssid : e8:1c:ba:96:19:88 oper chan : 100 noise_floor : -95 chutil : enabled oper chutil time : Fri Jul 26 08:54:13 2024 (age=9) oper chutil data : 0,0,0,0,0, 0,0,0,0,0, 0,0,0,0,0 ->newer station info : 0/0 Radio 3 : Virtual Lan AP max vaps : 0 base bssid : 00:00:00:00:00:00 station info : 0/0 Radio 4 : Not Exist Radio 5 : Not Exist WAN/LAN stats : : lan1 rx,tx bytes 503583,197393 packets 2195,839 errors 0,0 dropped 414,0 : lan2 rx,tx bytes 0,0 packets 0,0 errors 0,0 dropped 0,0 status : uplink status : lan1 carrier=1, speed=1000, duplex=full lan2 carrier=0, speed=0, duplex= -------------------------------Total 1 WTPs----------------------------
Related documents: |
