Troubleshooting Tip: Managed FortiAP Issues

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 207852

Description	This article describes debug commands and other tips to use when troubleshooting managed FortiAP issues on the FortiGate side.
Scope	FortiGate, FortiAP.
Solution	Debug Commands: The output of these debug commands can be captured when troubleshooting managed FortiAP issues on the FortiGate side: Configuration. Capture and review interface, DHCP, NTP, DNS config. show full system interfac show full system dhcp serve show full system nt show full system dn Crashlog and Other Wireless Controller Status. FortiGate crash log (check for cw_acd, wpad_ac, cw_wtpd, cw_stad processes crashing). diagnose debug crashlog rea Shows the equivalent of what is shown in the wifi monitor GUI but on CLI. diag wireless-controller wlac -d st Shows a list of FortiAPs that are managed by FortiGate. It shows WTP ID which can be used to see which peripheral unit is connected to which physical FortiAP. diag wireless-controller wlac -d wt Similar to exec tac report but for FortiAP, in case something is missed during the remote session. diag wireless-controller wlac show all Real-time Debug: The following real-time debug commands should be captured simultaneously in separate CLI windows/log files: CLI session #1. Replace portX with the FortiGate port that the FortiAP is connected to and capture the CAPWAP management, DHCP, and ARP packets. diag sniff packet portX “arp or udp port 5246 or udp port 67” 6 0 CLI session #2. diag wireless-controller wlac wtp_filter FP11223344556677 0-1.2.3.4:5246 2 <----- Replace the FP11223344556677 and 1.2.3.4 with actual serial number and IP address of the FortiAP, respectively). diagnose debug reset diag debug console timestamp enable diag debug application cw_acd 0x7f diag debug enable To disable debug. diagnose debug disable diagnose debug reset It is also important to check if the cw_acd is crashing with any signal in FortiOS in the crash log report. diagnose debug crashlog read 2915: 2023-09-22 13:19:38 <20631> application cw_acd 2916: 2023-09-22 13:19:38 <20631> * signal 11 (Segmentation fault) received * Connecting to FortiAP Directly to Configure Wireless Controller IP Address (FortiGate CAPWAP interface IP). In some cases, it is necessary to connect to the FortiAP directly via SSH/Telnet or HTTPS/HTTP to confirm if the AC_IPADDR is configured properly (AC_IPADDR defaults to 192.168.1.99). If the FortiGate port with CAPWAP enabled is anything other than the default IP, then it will be necessary to manually configure the AC_IPADDR (wireless controller IP address) in each FortiAP. Details about FortiAP Controller Discovery methods: Advanced WiFi controller discovery Ensure FortiAP obtains valid time via local NTP server on the FortiGate. Valid time via NTP synchronization is required to ensure that the certificate exchange in the CAPWAP tunnel establishment process succeeds. Ensure that the FortiGate is configured as a local NTP server on the interface that the FortiAP is connected to. Related article: Technical Tip: Configuring a FortiGate unit as a NTP server Connecting to FortiAP via Wireless Controller if CAPWAP connectivity is up. Related documents: Technical Note: How to connect to FortiAP 5.4 from wireless controller using telnet, http, https, ss... https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/801107/wifi-network-troubleshooting Technical Tip: FortiAP troubleshooting

12701

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.