Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wayne11
Contributor

FortiAP 223E

Hi

 

We have the new FortiAP 223E (FP223E-v5.4-build4137) behind a FortiWiFi 60E (v5.6.2 build1486) and a few problems and questions.

 

1. We can't find any Firmware for the FAP 223E, only until 223C. So we have no information at all for the preinstalled 5.4 build4137, Release Notes or something else. Is this normal Fortinet behavior to release a new product without any documentation or Firmware or can we install the 5.6.1 even the FAP 223E is not listed as supported model?

 

2. Authenticating to the FortiWiFi 60E and the configuration was easy as usual and was well working for a few hours, but after 2 days we have huge problems with all connected Windows clients with Win10 or Win7. Some are not able to authenticate to ans SMB server, others can even not authenticate to the AD or it takes 5 minutes until the login is successful. Just opening a browser and going to google.com takes 15 minutes or the page never show up. Pining to and from those computers is always possible with 10ms and more strange, sometimes it's possible to get to a SMB share on a Win2012R2 server, but not to another share on the same server. If we move those devices to the FortiWiFi so they connect directly to the FortiWiFi all problems are gone and everything works normal, same if we use LAN, so it's definitely FortiAP related.

 

Does anyone already has expiriences with FortiAP 223E or some informations to the installed Firmware FP223E-v5.4-build4137?

 

Thx

9 REPLIES 9
Sumanth_FTNT
Staff
Staff

Hi Wayne,

 

1. The specified NPI product is released via 5.4.4 GA Release to customers. Image that you have is the correct one FP223E-v5.4-build4137. The information is mentioned in the Release notes of 5.4.4 FAP-W2.

fortiap-s-fortiap-w2-v5.4.4-release-notes.pdf

 

You can go ahead and install 5.6.1 on FWF60E, it will support managing AP model FAP223E but currently we are yet to release the 5.6 supported GA release build for 2x2 models.

 

2. Regarding the issues mentioned, we have not encountered such issues, can we have more details about how the AP is connected to FWF & is it Tunnel or Bridge vap etc..

 

Regards

Wayne11

Hi Sumanth

 

Thx for the quick reply.

We already have 5.6.2 build1486 on the FortiWiFi60E, so far stable and nothing to complain. We are also able to manage the FortiAP 223E within this release, I was just wondering why I was not able to find any FortiAP Firmware where 223E is mentioned as supported model and I would not have searched in the W2 section.

 

The configuration is quite simple, Fortigate 200D has an IPSec VPN tunnel to the FortiWiFi 60E which is wired connected to the FortiAP 223E. We have created a new 223E profile on the FortiAP, changed the country setting and the channel to 13. The SSID profile we had already on the FortiWiFi and was working for months. The SSID configuration was transferred automatically to the FortiAP, WIDS is disabled and so far nothing else we changed. On the FortiWiFi we use a Software Switch with the LAN and WIFI Interface and the Traffic mode on the AP SSID is Tunnel.

 

This constellation was working fine for 2 days, then we got reports of the users that they can't reach some SMB shares anymore, everything is getting very slow or some websites are not loading anymore.

 

We have seen a few "last failure : 14 -- ECHO REQ is missing" with "diag wireless-controller wlac -c wtp" so probably it could be the same problem as mentioned from ggnt in this post?

 

Thx

Sumanth_FTNT

Hi Wayne,

 

>>I was just wondering why I was not able to find any FortiAP Firmware where 223E is mentioned as supported model and I would not have searched in the W2 section.

 

 I understand your concern, as 11AC Wave2 AP models were introduced to the supported AP's, we have two Categories one to show all FAP-S models( Wave1 & wave2) & FAP-W2 models portfolio.

 

Regarding the issue 2, from the logs i see that the issue is probably with ISP delay's due to which the VPN tunnel has delay/connectivity issues which makes it difficult for AP to stay connected, it makes worse due to Tunnel VAP as in when the AP looses connectivity to the AC.

 

As shown in the post you can try increasing the max-retransmit to 10 or more based on your confidence over the ISP.

 

# config wireless-controller global # set max-retransmit 3 ( default) => change to 10 or more based on your connectivity

 

Regards

 

 

Wayne11

I guess this is a misunderstanding, the VPN tunnel is not involved here at all. The FortiAP is connected by Cat6 cable directly to the FortiWiFi. If we connect the computers to the FortiAP we have the problems as described in post 1 after a while, if we shutdown the FortiAP and connect the computers directly to the FortiWiFi to the same SSID profile, everything works well and this configuration is already running since months without any interruptions. We only added last week the new FortiAP just to extend the WiFi range of the FortiWiFi.

 

Will give the max-retransmit a chance.

 

Thx

Sumanth_FTNT

Sorry my bad was confused due to statement, "Fortigate 200D has an IPSec VPN tunnel..."

 

Can you confirm if AP is managed by FWF60E, if so can you do the following.

 

Move the Tunnel VAP out of Softswitch interface & have a policy between Tunnel VAP & LAN segment or related directions.

 

Adding a Tunnel VAP into Soft Switch interface will make the VAP into Bridge mode.

 

Regards

 

Wayne11

Hi Sumanth

 

So we took out the VAP from the Soft Switch and created an own subnet, same problem. If we shutdown the AP all the clients roam to the FortiWiFi 60E and everything works normal.

 

It's definitely the FortiAP 60E. I'll open a ticket.

Sumanth_FTNT

Sure Please update the ticket details, we will look into the issue & revert ASAP.

Wayne11

Here the Ticket Number: 2470021

 

Thx

Sumanth_FTNT

Thanks

 

Is it possible your Servers are behind the FGT200D, Does the AP client Tunneled traffic goes to FGT200D via VPN Tunnel.

 

Regards