Hello,
We've got a problem in our network. When devices are connected to two different access points (Local-WiFi-radio and FortiAP-221E), they can't seem to find each other even though they're on the same SSID. But, if they're connected to the same access point, everything works fine. Devices operate in Tunnel mode.
We made sure that the setting which stops devices from talking to each other (client isolation) is turned off on both the access points. Also, we checked that both are set up to work in the same subnet. Still, we're stuck with this issue.
We're using a FortiWiFi 40F and a FortiAP 221-E.
Problem:
ClientA -> FortiAP1 -> FortiGate (FortiWiFI)-> FortiAP2(FortiWiFi) -> ClientB - Ping Fail
ClientA -> FortiAP1 -> FortiGate (FortiWiFI)-> FortiAP1 -> ClientB - Ping Success
ClientA -> FortiAP2(FortiWiFi) -> FortiGate (FortiWiFI) -> FortiAP2(FortiWiFi) -> ClientB - Ping Success
Hi Misha
Please run the following on FG while you are pinging from client A to client B.
diagnose debug enable
diagnose debug flow filter saddr x.x.x.x (Client-A IP)
diagnose debug flow filter daddr y.y.y.y (Client-B IP)
diagnose debug flow show function-name enable
diagnose debug flow trace start 20
Thank you!
I followed these instructions and there is nothing in the output. Moreover, when ping works and devices see each other (devices connected to the same access point), there is nothing either. Traffic does not pass through FortiGate. At the same time, the SSID traffic mode is in Tunnel mode, and both access points are also in Tunnel mode.
Hi @misha,
You can check if you have this option enabled? https://community.fortinet.com/t5/FortiAP/Techincal-Tip-How-Block-intra-SSID-traffic-option-on-ssid/...
Regards,
It is disabled
Have you tried to disable "Broadcast suppression" in SSID configurations?
Hello, it doesn't work.
If the end hosts are windows hosts you can check the ARP table if there is an entry for the respective node, from CMD use the command:
>arp -a
Did you manage to check the ARP table on the end host?
Hi Misha,
By default on tunnel mode, each SSID in tunnel mode will be considered as a Interface, so if you want to enable communication between devices connected to different interfaces you will have to make firewall policies, do you have those in place between interfaces?
Regards,
Andres
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.