Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: FortiAP fragmentation issues
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAP fragmentation issues
Hi all
I have a problem with the FortiAP 221E
I have a fleet of 50 FortiAPs on different networks interconnected in MPLS.
FortiAP management is done via a FortiGate 600E and a FortiManager
The FortiAps are all in 7.0.6
The FortiGate is in 7.0.11
The FortiManager is in 7.0.7
Here is the problem :
For some reason that I cannot identify, from time to time (on average one to two terminals per week), the terminal no longer responds to a ping with a packet size > 1500. Example ping –l 1800
When the problem occurs, I test the ping from the terminal's LAN, to rule out any MPLS fragmentation problem.
This makes the terminal unusable for customers (out of service captive portal, out of service PC authentication, etc.) anything that uses SSL no longer works. They therefore become unusable. On the other hand, a normal ping (< 1500) continues to work.
When this happens, I reboot the terminal (via the FortiManager or via the web interface of the terminal) and after restarting, the terminal is OK, the fragmentation is done well.
I tried different firmwares (from 7.0.5 to 7.2.2), it doesn't change anything.
BAUD_RATE:=9600
WTP_VERSION:=FortiAP-221E v7.0,build0108,230329 (GA)
FIRMWARE_UPGRADE:=0
FACTORY_RESET:=0
LOGIN_PASSWD_ENC:=xxxxxxxxxxxxxxxxxxxxxx
ADMIN_TIMEOUT:=5
WANLAN_MODE:=WAN-ONLY
AP_MODE:=0
STP_MODE:=0
AP_MGMT_VLAN_ID:=0
ADDR_MODE:=DHCP
AP_IPADDR:=192.168.1.2
AP_NETMASK:=255.255.255.0
IPGW:=192.168.1.1
DNS_SERVER:=208.91.112.53
ALLOW_HTTPS:=2
ALLOW_SSH:=2
AC_DISCOVERY_TYPE:=0
AC_IPADDR_1:=192.168.1.1
AC_IPADDR_2:=
AC_IPADDR_3:=
AC_HOSTNAME_1:=_capwap-control._udp.example.com
AC_HOSTNAME_2:=
AC_HOSTNAME_3:=
AC_DISCOVERY_MC_ADDR:=224.0.1.140
AC_DISCOVERY_DHCP_OPTION_CODE:=138
AC_DISCOVERY_FCLD_APCTRL:=
AC_DISCOVERY_FCLD_ID:=
AC_DISCOVERY_FCLD_PASSWD_ENC:=
AC_CTL_PORT:=5246
AP_DATA_CHAN_SEC:=clear,ipsec,dtls
BONJOUR_GW:=2
MESH_AP_TYPE:=0
LED_STATE:=2
WAN_1X_ENABLE:=0
WAN_1X_USERID:=
WAN_1X_PASSWD_ENC:=
WAN_1X_METHOD:=0
Here is the configuration of a terminal (they all have the same configuration)
have you encountered this problem before?
how to fix it?
Thanks for your help
Labels:
- Labels:
-
FortiAP
- « Previous
-
- 1
- 2
- Next »
14 REPLIES 14
Created on 05-16-2024 06:29 AM Edited on 05-16-2024 06:56 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone
I've upgrade all my FortiAP to 7.2 (last build FP221E-v7.2-build0367) and all my other FortiProducts in 7.2 too (FortiGate, Manager, ...)
It's a nightmare.
I was having less than 5 AP on 80 having this problem daily (not always the same, perhaps 20 of the 80 where frequently having issues)
I've add a script on the FortiGate to reboot daily all the FortiAP.
Since upgrade to 7.2, i have more than 12 FortiAP to reboot daily.
The guide you've linked ebilcari, is not adapted. it's a solution for a client who have issues over CAPWAP due to fragmentation.
My probleme is the FortiAP fragmentation itself.
One of the consequense is the impossibility for the AP to speak with the Fortiget over SSL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The guide was suggested for jirikovoego and affects the user traffic received through WiFi, in your case the AP management traffic is affected. Did you follow up this issue with TAC support?
Does the CAPWAP tunnel stays up when this happens?
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've upgraded to build 0367 and two weeks it seems fine. But I need more time for testing.
Created on 06-13-2024 11:25 PM Edited on 06-13-2024 11:35 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the issue is back. I tried change configuration you mention like this:
edit The-FAP-Profile
set ip-fragment-preventing tcp-mss-adjust
set tun-mtu-uplink 1200
set tun-mtu-downlink 1200
end
No luck, after two weeks I'm not able work with packets longer, then 1414 :(
Edit: When this situation happened, I'm not ping longer data-size from FortiGate directly to FortiAP (via wire, the same network, no routers between).
Other APs, with same profile works fine.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone
I still have problems in version FP221E-v7.2-build0367.
I still have problems in version FP221E-v7.2-build0367.
Fortinet asked me to test another firmware with an advanced (more verbose) debug mode in version FP221E-v7.2-build0337.
This version has, to date, not had any problems.
I have deployed it on 15 terminals for a month.
I also just tested the latest version in FP221E-v7.4-build0644 (7.4.4), with Fortigate in 7.2.
This version is also no longer a problem. It seems that Forti understood that there was a problem because in this version, they indicate that they have fixed a fragmentation bug. (BugID 0899796)
This version has, to date, not had any problems.
I have deployed it on 15 terminals for a month.
I also just tested the latest version in FP221E-v7.4-build0644 (7.4.4), with Fortigate in 7.2.
This version is also no longer a problem. It seems that Forti understood that there was a problem because in this version, they indicate that they have fixed a fragmentation bug. (BugID 0899796)
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,815 -
FortiClient
1,789 -
5.2
801 -
FortiManager
747 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
218 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1748 | |
| 1114 | |
| 764 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.