FAP speed limit at 220Mbps

Auderas · ‎12-31-2019

I have posted this question to r/Fortinet and to spiceworks, and so far no one has an answer for me.

First, I should state that I am a huge fan of Fortinet. We manage and recommend many of their products. Their firewalls are miles better in value and features than any I have seen.

The APs though....

To summarize, all APs we have in production max out at around 220Mbps to the end clients (maybe 60 APs at different clients). I haven't tested the 421 series, but all others (regardless of model or release date) offer the exact same throughput.

We have had 4 tickets open with support for APs that simply cannot produce bandwidths to the specifications of the devices. I have gone through the support calls, and even brought out an exact same spec AP from another manufacturer (6 antenna wave 2, 802.11ac max speed 1.3 Gbps release date 2012) to compare to their FAP321C. They cant help. It's maddening. They go through the checklist, and we see no improvement. I see a million different forum posts that are similar, and never reach any answer.

[ul]

I am NOT looking to debug it. I have support for that, plus I've spend about 10 hours doing it, so I've probably tried what you want to suggest.

I AM looking to see if anyone out there is getting more than 220Mbps to a wireless client. If anyone can, I would love to hear from you. Then the we can sort out firmware version and config. I HOPE i am wrong, but so far I have found no one who can get past that 220Mbps speed limit.[/ul]

tanr · ‎01-04-2020

FAP 221E with 6.0.5 firmware (FP221E-v6.0-build0066) gives 303 Mbps with other devices connected in an area with a lot of RF noise and multiple interfering channels from neighbors.

View solution in original post

tanr · ‎01-05-2020

Can you post more details about your config to clarify? Along with firmware version and screenshots, details like:

[ul]

Have you set the radio power manually (auto can be way off)?

Do you have power saving enabled (powersave-optimize under conf wireless-controller wtp-profile)

Are you using WiFi data channel encryption (DTLS) for the AC data channel (perf hit)?

Spectrum analysis on a radio?

Have you disabled low data rates (see rates-11ac-ss34 at https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-wireless/high-density-features.htm)

Using WIDS and if so with what enabled (ap-bgscan etc.)?

DARRP enabled?

Using DFS channels?

What broadcast suppression is enabled?

Are you using CAPWAP protected mgmt frames? [/ul]

View solution in original post

tanr · ‎01-06-2020

I'm managing FAPs from FortiGates, so you might not be able to change these settings.

I've have had both speed and connection issues with some devices when PMF was enabled in the past (mainly older iOS and Apple devices). CLI lets you set it to disable or optional per SSID (config wireless-controller vap). Don't know how you get to it with cloud management.

Regarding WIDS (https://docs.fortinet.com/document/fortigate/6.0.0/handbook/961129/wireless-intrusion-detection-syst...), I don't see it in the FortiCloud documentation, so don't know how it's handled for your case. But some aspects of it, like scanning for rogue APs, could have perf hits,

I'm assuming that you have spectrum analysis off (under radio config for the wtp-profile) or you would see even worse performance.

Have you tested with any non-FortiCloud managed FAPs? Would be good to look at a default FAP 221E in bridge mode without cloud management to see if this might be a result of some setting on the cloud managed FAPs.

Hoping that somebody with more WiFi knowledge than me jumps in here...

View solution in original post

Auderas · ‎01-07-2020

Update:

I think we have narrowed it down. Switching management to the fortigate from forticloud remedied the speed limit issue. This is good, I can now resolve this, however, forticloud management is really useful for managing many clients. I would really love to fix this for forticloud.

Just for refrence, working with fortinet support, we have made the forticloud setup identical to the fortigate management and the issue persists. What is more, I have tried disabling and changing certain features on the fortigate management side to try to replicate the speed limit using hardware, and no matter what I do, i cannot reproduce the speed limit when managed locally. I think this is something wrong with Forticloud management, and definitely not the APs.

tanr · ‎01-07-2020

Thanks for posting what you found. Certainly sounds like the FortiCloud management of the FAPs is the culprit. Hopefully this encourages Fortinet to track down the root cause quickly.

BTW, are you able to CLI to the FortiCloud controlled FAPs? Just wondering if, along with comparing all the basic settings between the cloud and FortiGate controlled FAPs, you could compare all the cw_diag info too. Maybe the cloud FAPs have something weird set for airtime fairness or similar.

Auderas · ‎01-07-2020

Yes, I can. are you talking about the Cfg -e results? I can do that right now

edit:

What cw-diag commands should I check, It seems like there are a million options

tanr · ‎01-07-2020

TAC might have more ideas, but I'd check and compare

cw-diag -c wtp-cfg

cw-diag -c radio-cfg

cw-diag -c vap-cfg

cw-diag -c wids

and just in case something silly was left on:

cw_diag --tlog off

cw_diag --clog off

to turn off telnet and console logging. Wouldn't be the first time a product shipped with debug logging left on...

Auderas · ‎01-07-2020

Ok, I checked out the cfg -e, and no significant differences. However... the cw_diag -c radio_cfg outputs had one super noticeable thing.

On fortigate

wids : disabled

on forticloud

wids : wl-bridge bc-deauth nl-pbresp long-dur mac-oui wep-iv spoof-deauth asleap auth-flood assoc-flood eapol deauth-unknown-src

long-dur-thresh: 8200

auth-flood: time=10, thresh=30

assoc-flood: time=10, thresh=30

deauth-unknown-src: thresh=10

There is no ability to turn on/off wids on forticloud

Also chutil meas is on for fortigate and off for forticloud. Not sure what this is

Auderas · ‎01-07-2020

on cw_diag -c wtp-cfg

I see a bunch of things different, but one that interests me is

ip-frag-prevent : TCP_MSS TUN_MTU (ul_mtu=1400 dl_mtu=1400) (forticloud)

ip-frag-prevent : TCP_MSS (ul_mtu=1500 dl_mtu=1500) (fortigate)

Auderas · ‎01-07-2020

I am available now if you are. 202-271-4678

tanr · ‎01-08-2020

So the FortiCloud managed FAP has a whole WIDS config, plus a different MTU. Sounds like plenty for you to go to TAC with. I would think they would have strong motivation to track this down.

That MTU doesn't really make sense to me if they aren't tunneling.

Just to check, you didn't see sensor-mode or ap-scan enabled (under wids)?

Auderas · ‎01-08-2020

That is correct. No sensor-mode or ap-scan. I really think it's the MTU size mismatch. I checked wireless clients, and they are all at 1500, fortigates all at 1500, but the fortiaps that are forticloud controlled are all 1400. That should cause fragmentation, and thus the speed limit.

What drives me CRAZY is that this is every FAP we manage, which likely means that (unless there is something wrong with our tenant) all cloud managed FAPs are getting packet fragmentation. It seems hard to believe that no one would have noticed this until me, so I will proceed with support with guarded optimism.

FAP speed limit at 220Mbps

Nominate a Forum Post for Knowledge Article Creation