Scenario:

FortiGate (172.18.0.1) <----> FortiSwitch <----> FortiAP <----> (172.18.0.27) Endpoint

In the presented scenario, the endpoint is unable to browse the internet by failing DNS queries with FortiAP presenting the action 'DNS-no-resp'. Also, the Endpoint is failing to ping its Gateway IP (FortiGate internal IP 172.18.0.1).

However, debugs and logs show that FortiGate is allowing the traffic. With DNS responses and icmp replies observed going out of the FortiGate towards the FortiSwitch, but never received on the Endpoint. The below image shows Endpoint ICMP requests reaching FortiGate and FortiGate interface replying.

The next images show DNS traffic being allowed out, but also that FortiGate recorded reply traffic on the logs.

As a workaround disable CAPWAP offloading, and reboot the wireless controller, using the below commands on FortiGate:

config system npu

    set capwap-offload disable

end

execute wireless-controller restart-acd

The last command will prompt the message below before rebooting the wireless controller, requiring 'Y' be pressed to reboot, which will briefly disconnect all FortiAPs from the FortiGate.

This operation will reboot wireless controller daemon!

Do you want to continue? (y/n)

 
Note: When using an NP7 processor, make sure to check CAPWAP offloading compatibility for the FortiAPs. The link is available in the related documentation section.

Related documentation:

• NP7 CAPWAP offloading compatibility
• Disable NP6 and NP6XLite CAPWAP offloading
• How to disable CAPWAP offloading for FortiAPs without disrupting wireless traffic