|
Description:
CAPWAP discovery requests reach the FortiGate Fortilink interface, however, the FortiGate is not responding to the CAPWAP request messages from managed FortiSwitches due to the firewall having local-in-policy configured.
- Verify that the FortiSwitch is sending the CAPWAP discovery requests to the FortiGate.
- Take a simultaneous packet capture from FortiGate to identify if the FortiGate is responding to the CAPWAP discovery or ICMP request packets :
FortiGate sniffer from CLI: Performing a sniffer trace (CLI and packet capture).
Or, FortiGate sniffer from GUI: Troubleshooting Tip: Packet Capture on FortiOS GUI.
- If the FortiGate is not responding to the CAPWAP discovery request, ensure that the following processes are running in FortiGate using the command 'diag sys top' :
fortilinkd
cu_acd
cw_acd
cw_acd_helper
acd
FortiGate-60E # 2025-03-26 01:52:15 id=65308 trace_id=12 func=print_pkt_detail line=5886 msg="vd-root:0 received a packet(proto=17, 10.255.1.2:5246->224.0.1.140:5246)
tun_id=0.0.0.0 from fortilink. "
<snip>
2025-03-26 01:52:15 id=65308 trace_id=12 func=iprope_policy_group_check line=4894 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check line=2395 msg="gnum-100001, check-5f029ff4"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check_one_policy line=2133 msg="checked gnum-100001 policy-1, ret-matched, act-accept"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_user_identity_check line=1894 msg="ret-matched"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check_one_policy line=2366 msg="policy-1 is matched, act-drop"
2025-03-26 01:52:15 id=65308 trace_id=12 func=__iprope_check line=2414 msg="gnum-100001 check result: ret-matched, act-drop, flag-08010000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=iprope_policy_group_check line=4894 msg="after check: ret-matched, act-drop, flag-08010000, flag2-00000000"
2025-03-26 01:52:15 id=65308 trace_id=12 func=fw_local_in_handler line=611 msg="iprope_in_check() check failed on policy 1, drop"
A sample configuration of the firewall local-in-policy that could block the CAPWAP traffic is as follows :
config firewall local-in-policy
edit 1
set uuid b0036cc6-0a1d-51f0-d0b3-42036f43bacf
set intf "any"
set srcaddr "fortilink/any"
set srcaddr-negate disable
set dstaddr "all"
set internet-service-src disable
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status enable
set comments ''
next
end
Resolution:
- Disable the local-in-policy if not required:
config firewall local-in-policy
edit 1
set intf "any"
set srcaddr "fortilink"
set srcaddr-negate disable
set dstaddr "all"
set internet-service-src disable
set dstaddr-negate disable
set action deny
set service "ALL"
set service-negate disable
set schedule "always"
set status disable
next
end
- As the local-in policy controls the inbound traffic going to a FortiGate interface, specify the interface or the source address such that the FortiLink interface will be excluded.
For more details on local-in-policy, visit Local-in policy and Troubleshooting Tip: Debug flow messages 'iprope_in_check() check failed, drop' - 'Denied by forward...
- Basic checks for FortiSwitch showing offline in the FortiGate can be verified using the following community links:
Troubleshooting Tip: FortiSwitch Connection to FortiGate
Technical Tip: How to perform basic checks to bring FortiSwitch online on FortiGate
Troubleshooting Tip: Fix FortiSwitch showing with the 'Offline' status
Technical Tip: Non-FIPS FortiSwitches are offline when managed by FortiGate configured in FIPS-CC mo...
|
