Description | This article describes debug commands and other tips to use when troubleshooting managed FortiAP issues on the FortiGate side. |
Scope | FortiGate, FortiAP. |
Solution |
1) Debug Commands.
The output of these debug commands can be captured when troubleshooting managed FortiAP issues on the FortiGate side: Configuration.
Capture and review interface, DHCP, NTP, DNS config.
# show full system interfac # show full system dhcp serve # show full system nt # show full system dn Crashlog and Other Wireless Controller Status.
FortiGate crashlog (check for cw_acd, wpad_ac, cw_wtpd, cw_stad processes crashing).
# diagnose debug crashlog rea
Shows the equivalent of what is shown in the wifi monitor GUI but on CLI.
# diag wireless-controller wlac -d st
Shows list of FortiAPs that are managed by the FortiGate.
This is good because it shows WTP ID which can be used to see which peripheral unit is connected to which physical FortiAP.
# diag wireless-controller wlac -d wt
Similar to exec tac report but for FortiAP, in case something is missed during remote session.
# diag wireless-controller wlac show all
Real-time Debug
The following real-time debug commands should be capture simultaneously in separate CLI windows/log files:
CLI session #1.
Replace portX with the FortiGate port that the FortiAP is connected to and capture the CAPWAP management, DHCP and ARP packets.
CLI session #2.
To disable debug.
# diag debug application cw_acd
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.
2) Connecting to FortiAP Directly to Configure Wireless Controller IP Address (FortiGate CAPWAP interface IP).
In some cases, it is necessary to connect to the FortiAP directly via SSH/Telnet or HTTPS/HTTP to confirm if the AC_IPADDR is configured properly (AC_IPADDR defaults to 192.168.1.99).
If the FortiGate port with CAPWAP enabled is anything other than the default IP, then it will be necessary to manually configure the AC_IPADDR (wireless controller IP address) in each FortiAP.
Details about FortiAP Controller Discovery methods:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/570170/advanced-wifi-controller-discover...
3) Ensure FortiAP obtains valid time via local NTP server on the FortiGate.
Valid time via NTP synchronization is required to ensure that the certificate exchange in the CAPWAP tunnel establishment process succeeds.
Ensure that the FortiGate is configured as a local NTP server on the interface that the FortiAP is connected to.
4) Connecting to FortiAP via Wireless Controller if CAPWAP connectivity is up.
Related document.
https://community.fortinet.com/t5/FortiAP/Technical-Note-How-to-connect-to-FortiAP-5-4-from-wireless...
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/801107/wifi-network-troubleshooting
https://community.fortinet.com/t5/FortiAP/Technical-Tip-FortiAP-troubleshooting/ta-p/190973