Description
This article describes how to resolve a FortiAP showing as Offline/Down.
Scope
FortiGate, FortiAP.
Solution
When managed FortiAPs unexpectedly show as down, take the following steps:
Step 1: Check the system ARP and confirm all APs are receiving the IP. It can also be verified on the DHCP monitor page on the GUI.
get system arp
If FortiAPs are not getting DHCP IP addresses, make sure the DHCP Server is enabled on the interface and VLAN to which the FortiAPs are connected. If the FortiAPs are connected via a FortiSwitch, make sure the FortiSwitch port has the correct native VLAN.
The following images provide an example for enabling DHCP on the VLAN interface designated for FortiAP management and how to assign the native VLAN on FortiSwitch to the interface connecting the FortiAP:
If FortiAP still cannot get an IP address, collect DHCP debug logs as outlined in Technical Tip: Diagnosing DHCP on a FortiGate.
Step 2: Run the following debug command to check if the reason is N/A, as in the example output below, to check the down/failure reason if it is N/A, as in the example output:
diagnose wireless-controller wlac -c wtp
image download progress: 0
last failure : 8 -- Control message maximal retransmission limit reached
last failure param: N/A
last failure time: Thurs Sep 08 12:18:46 2022
This command is generally used to diagnose or retrieve detailed information related to the Wireless Termination Points (essentially the managed access points) on the FortiGate device. The exact output would depend on the FortiOS version and the specific issues or configurations related to the WTPs. In general, it should provide insights into the status, configurations, or potential problems with the connected access points.
Step 3: Pick one IP from the ARP table and confirm connectivity through SSH to FortiAP from FortiGate CLI.
execute ssh <user@host> [port]
Step 4: Run the following sniffer to see if FortiGate is responding or not.
diagnose sniffer packet <interface_name> "port 5246" 6 0 l
If FortiGate is not responding, enable Security Fabric Connection in Network -> Interfaces -> Administrative Access, as it is a minimum management requirement that FortiAP establishes a CAPWAP tunnel with the FortiGate.
Since v6.2.0, the CAPWAP access has been grouped with the Security Fabric Connection. Before v6.0.x, an individual option was provided.
Follow these steps:
- Go to Network -> Interfaces.
- Select the port.
- Under Administrative Access, select Security Fabric Connection.
- Select OK.
If 'Security Fabric Connection' is already enabled and FortiGate is still not responding to CAPWAP traffic from AP, restart the wireless controller daemon. Refer to this KB article: Technical Tip: How to restart the wireless controller daemon
Step 5: Run the WTP debugs on the FortiGate to find at which point the FortiAP connection is failing where x.x.x.x is the IP address of the FortiAP:
diagnose wireless-controller wlac wtp_filter <FAP_Serialno> 0-x.x.x.x:5246 2
diagnose debug application cw_acd 0x7ff
diagnose debug console timestamp en
diagnose debug enable
To stop the debug:
diagnose debug disable
diagnose debug reset
Related articles:
Troubleshooting Tip: FortiAP Offline: Complete Consolidated Troubleshooting & Checklist
