Fortigate 81F v7.4.1
I have some Aruba APs at a new site. 7 of the 12 connect to Aruba Central without a problem, but 5 of them give a certificate error. All APs connect through the same switch, VLAN and DHCP scope. All can ping externally using DNS and by IP
The APs are trying to connect to device-uswest4.central.arubanetworks.com. I found that the working ones resolve that to 44.226.202.64 and the non-working ones resolve to 208.91.112.55, which seems to be fortinet-block-page-55.fortinet.com.
I have tried all the default SSL inspection security profiles and have removed all other security profiles.
Why would some APs be resolving to this Fortinet block page?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@BSHcow
What are DNS settings of your 5 non-working Aruba APs? Do they have the same DNS configuration?
If you check from Fortigate
# exe ping device-uswest4.central.arubanetworks.com
what ip is resolved?
Did you find the solution? Having the same problem with FG80F v7.2.6.
Tried different DNS servers/settings on Fortigate, with UTP enabled and disabled.
All Aruba access points are connections directly to Fortinet block page 55 IP address.
ap01# ping device-eucentral2.central.arubanetworks.com
Press 'q' to abort.
PING 208.91.112.55 (208.91.112.55): 56 data bytes
64 bytes from 208.91.112.55: icmp_seq=0 ttl=56 time=36.8 ms
64 bytes from 208.91.112.55: icmp_seq=1 ttl=56 time=36.7 ms
64 bytes from 208.91.112.55: icmp_seq=2 ttl=56 time=36.5 ms
64 bytes from 208.91.112.55: icmp_seq=3 ttl=56 time=36.6 ms
64 bytes from 208.91.112.55: icmp_seq=4 ttl=56 time=36.6 ms
--- 208.91.112.55 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 36.5/36.6/36.8 ms
208.91.112.55 is the default IP address used for blocking domains by DNS filter.
Carefully review the policies used by your APs, especially for DNS traffic. Make sure they either don't have DNS profiles enabled, or review those profiles and check if they have any configuration that could lead to blocking those domain names.
If the APs are using some internal server for DNS, check relevant policies for that server's own upstream DNS traffic as well.
If everything looks fine, consider restarting the APs, maybe they've just cached a previously-blocked result that isn't being blocked anymore.
Hi, are these problematic and working APs have same DNS settings ? If yes and still getting same errors on some of the APs, you can try creating a static DNS entry pointing towards 44.226.202.64.
regards,
Sheikh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1629 | |
1060 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.