Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hamidc
New Contributor

7.4.2 Release

Hi.  Has anyone else experienced the FortiAP constantly disconnecting after the upgrade to 7.4.2 onFortiGate? I have different FortiGates and they were all doing the same thing. The access points have to be rebooted to show up as connected and they will disconnect again.  I had to downgrade back to 7.4.1 which resolved the issue.  EVERY upgrade to Fortigate in the past year or so has had a major brake.  It is NOT OK to list something as a known issue and still go ahead and release the upgrade

Any solutions?

15 REPLIES 15
AEK
SuperUser
SuperUser

Hi

For your critical production always stay at a recommended/mature version and you'll be safe.

In my our env we have FOS 7.0.12 and 6.2.15 and never had any issue with WiFi or anything else.

AEK
AEK
hamidc
New Contributor

Hi AEK,

-How does one decide what a recommended/mature version is?

-We work with financial institutions and they require that we are on the latest firmware that addresses the latest security issues.  How does one deal with that?

-How was my suggestion that Fortinet address breaking issues rather than put them as a known issue unfounded?  To cite an example, version 7.4 introduces WPA3.  WPA2 has been known to be easily breakable for a while. How do you reconcile using a weal WiFi authentication with older mature versions?

The point is that rather than the mantra of "if it ain't broke, don't fix it", I am suggesting Fortinet should adhere to higher standards when releasing a new firmware.

I don't think I am asking for much from an established security company.

 

AEK
SuperUser
SuperUser

Hello

Here is what means version number in FOS X.Y.Z.

  • X: major release, with major new features 
  • Y: minor release, with minor new features
  • Z: bug fix and or security fix

The Z tells you if the version is mature or not. Generally it is mature starting from X.Y.8, and the version maturity is anso mentioned in the release notes.

The recommended version for each model is listed here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-Release-for-FortiOS/ta-p/22717...

So the good idea for your critical production is to stay at 7.0.13, and don't move to 7.2 or 7.4 until they become mature, especially if you don't need the new features available in the new releases.

Regarding WiFi security, it is right that WPA2 is not secure, however I guess in your corp you use WPA2 Enterprise. If so then you are safe and don't need WPA3.

AEK
AEK
hamidc
New Contributor

Given our business requirements, staying on old versions will not work for us. Thank you for trying to help.  We are also a security focused company and as such are required to be on the latest security paradigms such as, but not limited to WPA3 in this example.

tech833
New Contributor II

Same issue here. Fortinet ran logs and came back and said it is not the same issue referenced as fixed in previous FortiGate versions. Won't help us any further unless we provide support contract on our switches. We have contracts on AP's and FortiGate. Ridiculous as this has nothing to do with the switches.

tech833
New Contributor II

Fortinet responded back and recommended we enable arrp profile. Gonna try this tonight and see if it resolves the issue.

 

https://docs.fortinet.com/document/fortiap/7.4.2/fortiwifi-and-fortiap-configuration-guide/299720/co...

tech833
New Contributor II

So far the enabling of arrp seems to have worked. It has been 15 hours since I enabled it and we have not had any AP's go offline to the point where they need to be POE cycled (rebooted) to come back. So far we are seeing an AP "leave" and then "join" within 3-5 minutes later. This happens about once every 4 hours to a random AP. We have automation setup to alert us via email every time an AP "leaves" and "joins" and the reason, which is always "Control message maximal retransmission limit reached". I have yet to determine if this is causing any downtime to the existing clients on that AP, or if they are getting dumped to another AP further away. We are going to continue to monitor it and I will post an update tomorrow. I still think there is an underlying issue as to why this started occurring with 7.4.2 and that arrp is just helping but not truly solving the issue, that said though I am not very knowledgeable about arrp or wireless science in general. If someone with a better understanding can shed some light on this that would be awesome. 

tech833
New Contributor II

Well, its the next day and still no AP's that need to be rebooted. Still getting the leave/join scenario about once every 4 hours, but they always come back online within 5 minutes. I'm going to investigate if these are causing client disconnects or disruptions. So far, enabling arrp seems to have basically resolved the issue for now.

JB7
New Contributor

Yes we also started facing the same issue 12 hrs after the upgrade to 7.4.2 , its not disconnecting ,APs are  leaving ("Control message maximal retransmission limit reached" ) and re-joining by itself and it keeps happening for almost all APs after say every 12 hrs or so ,So far it happened twice after the upgrade.

Labels
Top Kudoed Authors