Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
plushi
New Contributor

FortiAP 221E Broadcasts signal but has no internet connection

I've been having issues getting my AP to work while building my network. I have a Fortigate 40F connected to a Fortiswitch 108F connected to a a FortiAP 221E. The Fortigate is running 6.4.15 and the AP is running 6.0. The AP shows up in the Wifi/Switch controller > Managed FortiAPs and shows that it is online. Its broadcasting the SSID I setup, but when I connect to it, it shows connected with no wifi. It also has a VLAN with a manual IP config.

I'm confused and need help, would anyone know why this would be doing this?

Also does anyone know how to delete VLANS, its not giving me the option to delete them. I want to try and put them on the fortigate instead of the switch

1 Solution
laltuzar
Staff
Staff

Can FortiGate reach out internet (simply ping 8.8.8.8)?

If so, you can try to follow the steps from this guide to set up your SSID's users to reach internet: LAN Edge Deployment Guide

Fortinet TAC - LATAM Secure Access Team

View solution in original post

13 REPLIES 13
Brunn3r
New Contributor III

Is the Wifi SSID in Bridged mode? if yes, did you configure the VLAN id as allowed on the switchport, where the FortiAP is connected to? What VLAN id do you use? there are a few IDs that are reserved by Fortinet for internal purposes (see release notes).

plushi
New Contributor

The Wifi SSID is in Tunnel mode with HTTPS SSH PING and Security fabric connect checked. The AP is connected the the switch at port one. In fortiswitch ports, VLAN 20 is a native VLAN. 

I just tried putting the VLAN on the allowed list instead of the native list and it made the AP 2.5 and 5 ghz light turn off

I think I should also mention I have a red! stating I am unable to connect to Fortiguard servers

ebilcari

If the AP is online (VLAN 20) and you are using tunneled SSID you don't need to change VLAN configuration on the switch port where the AP is connected. The user traffic will be tunneled to the FGT and the switch is not aware of other subnets/VLANs. You need to configure an IP network and a DHCP server for the WiFi users under SSID configuration:

test-ssid.PNG

and also create a firewall policy that allows internet access from the SSID as 'Incoming Interface'.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
plushi

My WiFi network has an IP and a DHCP server, and it has a firewall policy

Incoming int: WiFi
Outgoing int: SD wan zone (WAN port)

Source: Wifi address

Destination: All
Service: All

jhussain_FTNT

Hi

Have you configured firewall policy to allow traffic from SSID interface to wan interface.

You can run the below debug logs and check the traffic is allowing by firewall policy

 diag debug flow filter addr x.x.x.x  ---where x.x.x.x is the IP address of client

 diag debug flow show function-name enable

 diag debug console timestamp enable

 diag debug flow trace start 100

diag debug enable  

 

Also i would suggest to configure the DHCP server in the ssid and check the client is receiving the IP address.  

 

Regards

Jamal

plushi

I replied in the comment below

plushi
New Contributor

I can't connect to the CLI of the AP (no power cable) itself but I tried running those commands in the fortigate CLI and it wasnt going through.

Theres a Wifi Firewall policy.
Incoming interface: The wifi network
Outgoing interface: SD WAN zone (WAN port on fortigate)
Source: Wifi Address
Destination: all
Service: All

Policy for VLAN 20 
Incoming Int: VLAN 20
Outgoing int: SD wan zone
Source: VLAN 20 wifi address
Destination: All
Service: All

I just configuered the  SSID IP/Netmask so its in the same subnet instead of being 0.0.0.0/0.0.0.0

 

When I connect to the AP and it shows connected but no internet, my computer does not recieve the IP address the the AP recieves my computers IP

 

laltuzar

By the way, if you can't connect to the AP but it is online, you may reach it via SSH. You just need to enable the access via SSH: Technical Tip: How to enable SSH access to FortiAP managed by FortiGate

Fortinet TAC - LATAM Secure Access Team
laltuzar

If your computer is not receiving an IP address when connected to the SSID, that means that there is no DHCP Server configured. Go to the SSIDs and make sure you have already set up the IP/Netmask, then enable the DHCP Server. After the station connects to the SSID, it should receive an IP from this pool.

Fortinet TAC - LATAM Secure Access Team
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors