Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Montieous
New Contributor

Clients briefly disconnected from WiFi at exactly 00:00 every night.

It appears to be the session that is cleared, so it disrupts everything that device is currently doing for several seconds until the sessions are recreated.

 

I can see these logs under system events:

User: from cw_acd clean active IPv4 sessions,( filter:vd:0;source ip:172.30.100.10-172.30.100.10;)

 

And then these logs under WiFi Events:

Client 1c:1a:df:82:7b:74 de-authenticated.

Action client-deauthentication
Reason Previous authentication no longer valid

 

For all devices connected to WiFi and at exactly 00:00 every day.

 

FortiGate is a 61E running 7.0.3 and the FortiAP is a 221E also running 7.0.3, but it has happened on all versions of 7.0.x that I can remember.

 

Anyone have any suggestions how to diagnose or where to look next since I am stumped?

 

Regards, Thomas.

 

8 REPLIES 8
Vando_Pereira

Hello Thomas,

 

Have you checked if you are receiving de-authentication packets from an external source (you can do so by doing a packet capture using wireshark) ?

some one maybe trying to discover your WiFi password.

 

This maybe a motive of concern if you use only WPA2.

 

In this link you have some information how to act in case that is a DoS attack:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/961129/wireless-intrusion-detection-syst...

 

Best Regards.

As you think, so shall you become.
rphillips
New Contributor

Did you get a solution to this?  I am seeing the same behavior at one of my locations

Montieous

If its the same issue I had then it was a bug that was resolved in FortiOS 7.0.6 and later.

 

748479

cw_acd is crashing with signal 11 and is causing APs to disconnect/rejoin.

 

https://docs.fortinet.com/document/fortigate/7.0.6/fortios-release-notes/289806/resolved-issues

dbu
Staff
Staff

Hi @Montieous ,

It looks some timer is expiring somewhere. 

Can you check the DHCP lease time ?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-unique-DHCP-lease-time-for-spec...

Do you use VPN to connect ?

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
rphillips
New Contributor

I know your question was to Montieous, but my DHCP leases are set to 1 week / 604800 seconds.  But the issue occurs daily

hbac

Hi @rphillips,

 

What is the version of FortiGate and FortiAP? How many FortiAP are you using? Are you noticing high CPU on the FortiGate when the issue occurs? I would suggest upgrading the FortiGate firmware version if possible. 

 

Regards, 

rphillips
New Contributor

6.4.14 on the fortigate and APs are on 7.0.1.

We are already planning on upgrading the fortigates, so glad to hear that this should fix it.

GJPSTI
New Contributor

Hi, sorry to wake up this old thread here, but I am experiencing a similar issue.

Clients in our office will experience random internet connection drop out. Devices are still connected to the network, either via WIFI or LAN, but they become unable to access the internet. 

After some time, clients will become able to access the internet again, and this will be followed up by a HUGE CPU peak and session count PEAK in the Fortigate. I can also see events such as

 

"User: from cw_acd clean active IPv4 sessions,( filter:vd:0;source ip:172.30.100.10-172.30.100.10;)"

 

We're running FortiOS 7.0.15 and FortiAP 7.0.0 on our FAP-431F.

 

Any clues? Thanks for the help.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors