Fortinet Community

Montieous · ‎01-21-2022

It appears to be the session that is cleared, so it disrupts everything that device is currently doing for several seconds until the sessions are recreated.

I can see these logs under system events:

User: from cw_acd clean active IPv4 sessions,( filter:vd:0;source ip:172.30.100.10-172.30.100.10;)

And then these logs under WiFi Events:

Client 1c:1a:df:82:7b:74 de-authenticated.

Action client-deauthentication
Reason Previous authentication no longer valid

For all devices connected to WiFi and at exactly 00:00 every day.

FortiGate is a 61E running 7.0.3 and the FortiAP is a 221E also running 7.0.3, but it has happened on all versions of 7.0.x that I can remember.

Anyone have any suggestions how to diagnose or where to look next since I am stumped?

Regards, Thomas.

Vando_Pereira · ‎03-03-2022

Hello Thomas,

Have you checked if you are receiving de-authentication packets from an external source (you can do so by doing a packet capture using wireshark) ?

some one maybe trying to discover your WiFi password.

This maybe a motive of concern if you use only WPA2.

In this link you have some information how to act in case that is a DoS attack:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/961129/wireless-intrusion-detection-syst...

Best Regards.

As you think, so shall you become.

Fortinet Community

Clients briefly disconnected from WiFi at exactly 00:00 every night.