Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ralph_uy
New Contributor

Connected to AP but no internet connection

Hope someone can help me out with this issue. client are connected to the AP but no internet connection Icon on mobile showing with exclamation mark

Icon on computer showing yellow triangle

Issue is, it is connected for some time then suddenly lose internet connection and then after some time will be gain internet access again. or if you disconnect and connect again you will gain internet access again.

 

there is a DNS server installed on one of the site DC. main DC is in another country.

DNS setup is

DNS1: ISP DNS

DNS2: DNS server IP

 

i will be attaching full configuration.

 

Setup

AP1:

Radio 2.4: channel 1,11

Radio 5.0: channel 36

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi1,guest1

 

AP2:

Radio 2.4: channel 6

Radio 5.0: channel 40,48

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi2,guest2

 

AP3:

Radio 2.4: channel 1,11

Radio 5.0: channel 44

Frequency Hand off: disable

AP Hand off: disable

Darrp: disable

SSID: wifi1,guest1

 

28 REPLIES 28
BobSmith

deanshomer wrote:

Having the same issues with clients disconnecting randomly. We have to reboot the APs every few hours to force client resets which is obviously less than ideal. Using FortiAP 221E in tunnel mode to Fortigate wifi controller. I have a support case opened with no resolution but will post back if anything comes from it.

 

Update: Found out that the CAPWAP packets were getting fragmented due to the tunneling over and IPSEC connection back to the controller. The solution for this particular problem is to adjust the tunnel MTU on the AP profile in order to avoid CAPWAP fragmentation. 

I have the same issue, would be interesting if you could post how you discovered the CAPWAP fragmentation? and what you adjusted the MTU too.

deanshomer

Basically stumbled upon the fragmentation issue while performing packet captures on an intermediate IPSEC router. I found packet fragmentation on the tunnel with the source IP of the AP. Once I realized that the already encapsulated CAPWAP packets were being fragmented due to tunnel MTU, I began to adjust the MTU on the AP profile so that the encapsulated packets would fit in the IPSEC tunnel. Started at 1450 and ended up at around 1400. You could also start low (1300) and work your way up until you start seeing fragmentation and then go back some.

 

This is only a fix if you have your AP in tunneled mode back to the wireless controller with an IPSEC tunnel in between. The tunneled CAPWAP packets need to fit in the IPSEC tunnel MTU to avoid fragmentation. The Fortigate wireless controllers cannot handle fragmented CAPWAP packets.

C_Hanley
New Contributor

Sorry to dig up an old comment, but we are running into this exact thing

 

2 SSIDS, 1 for guests, 1 for employees.

Guest one works fine, (internet access only, no internal resources)

employee SSID is intermittently not working for some users, (They can connect to the AP, but No internet access).

 

Fortigate managing (6) FortiAP 231F.

 

Fortigate->Fortiswitch->FortiAPs

 

Fortigate is acting as recursive DNS server with a zone setup as a shadow and forwarding to our Internal Primary/Secondary internal DNS server over ipsec tunnel to datacenter.

 

All was working fine, for about a year, then we upgraded firmware on fortigate/fortiswitch/foritap

 

Foritgate - 7.2.5

Fortiswitch - 7.4.0

FortiAP - 7.2.0

 

Any additional thoughts/suggestions?

Konrad1311

Hello
I know also that this is digging up old topic, but I have the same issue and I can't find how to manage this point.
Do you have any updates / fixes with this case 

BR 

 

Konrad 

EK
New Contributor

 

Seeing the same on 100F - with system DNS set to internal servers

 Setting 8.8.8.8 for Wi-Fi DNS would result in internet connections

for internal DNS:

 add feature DNS Database

 added DNS server to the Wi-Fi interface forwarded to system DNS 

 set Wi-Fi DHCP - default gateway and DNS server to interface IP 

Konrad1311
New Contributor

Hello EK,
Thank you for your answer 

 

Unfortunatelly, I had DNS set for internal with similar settings you suggesting but without any results. 
When I set it for 8.8.8.8 nothing has changed 
Issue still exist 

EK
New Contributor

then I would check the Wi-Fi - Wan policy 

I had a IP mismatch once due to making interface setting updates

& check the logs for such traffic

C_Hanley
New Contributor

In our case, when we experienced this intermittent issue, (which we think was after some firmware updates), we ended up reloading the FortiAP profile for each of the AP's, that did the trick.  Switched it to the default one, saved, then went back in and changed it back to our company's AP profile.

Konrad1311

Hello 
Thank you for your answers 
I will try to make something with profile - but in my case trouble is a little bit different.
You can access internet from your computer, but when you will connect your phone there is no way to do it. 
You can't even ping your default gateway which is in the same subnet. 
You will get information "no route to host" 

I created ticket in support, but I saw that this issue is common so I decided to ask community also 

Labels
Top Kudoed Authors