Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cclg_support
New Contributor II

Created on ‎04-06-2023 01:12 AM

FortiAP fragmentation issues

Hi all


I have a problem with the FortiAP 221E

I have a fleet of 50 FortiAPs on different networks interconnected in MPLS.
FortiAP management is done via a FortiGate 600E and a FortiManager
The FortiAps are all in 7.0.6
The FortiGate is in 7.0.11
The FortiManager is in 7.0.7


Here is the problem :

For some reason that I cannot identify, from time to time (on average one to two terminals per week), the terminal no longer responds to a ping with a packet size > 1500. Example ping –l 1800
When the problem occurs, I test the ping from the terminal's LAN, to rule out any MPLS fragmentation problem.
This makes the terminal unusable for customers (out of service captive portal, out of service PC authentication, etc.) anything that uses SSL no longer works. They therefore become unusable. On the other hand, a normal ping (< 1500) continues to work.


When this happens, I reboot the terminal (via the FortiManager or via the web interface of the terminal) and after restarting, the terminal is OK, the fragmentation is done well.
I tried different firmwares (from 7.0.5 to 7.2.2), it doesn't change anything.


BAUD_RATE:=9600

WTP_VERSION:=FortiAP-221E v7.0,build0108,230329 (GA)

FIRMWARE_UPGRADE:=0

FACTORY_RESET:=0

LOGIN_PASSWD_ENC:=xxxxxxxxxxxxxxxxxxxxxx

ADMIN_TIMEOUT:=5

WANLAN_MODE:=WAN-ONLY

AP_MODE:=0

STP_MODE:=0

AP_MGMT_VLAN_ID:=0

ADDR_MODE:=DHCP

AP_IPADDR:=192.168.1.2

AP_NETMASK:=255.255.255.0

IPGW:=192.168.1.1

DNS_SERVER:=208.91.112.53

ALLOW_HTTPS:=2

ALLOW_SSH:=2

AC_DISCOVERY_TYPE:=0

AC_IPADDR_1:=192.168.1.1

AC_IPADDR_2:=

AC_IPADDR_3:=

AC_HOSTNAME_1:=_capwap-control._udp.example.com

AC_HOSTNAME_2:=

AC_HOSTNAME_3:=

AC_DISCOVERY_MC_ADDR:=224.0.1.140

AC_DISCOVERY_DHCP_OPTION_CODE:=138

AC_DISCOVERY_FCLD_APCTRL:=

AC_DISCOVERY_FCLD_ID:=

AC_DISCOVERY_FCLD_PASSWD_ENC:=

AC_CTL_PORT:=5246

AP_DATA_CHAN_SEC:=clear,ipsec,dtls

BONJOUR_GW:=2

MESH_AP_TYPE:=0

LED_STATE:=2

WAN_1X_ENABLE:=0

WAN_1X_USERID:=

WAN_1X_PASSWD_ENC:=

WAN_1X_METHOD:=0


Here is the configuration of a terminal (they all have the same configuration)

have you encountered this problem before?

how to fix it?


Thanks for your help

Labels:
3519
0 Kudos
14 REPLIES 14
Anthony_E
Community Manager
Community Manager

Created on ‎04-09-2023 10:15 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
2544
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎04-10-2023 10:26 PM

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
2517
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎04-11-2023 12:10 AM

Hello,

 

Did you have already a look into this document?:

 

https://docs.fortinet.com/document/fortiap/7.2.4/fortiwifi-and-fortiap-configuration-guide/873995/ip...

 

Regards,

Anthony-Fortinet Community Team.
2501
cclg_support
New Contributor II
In response to Anthony_E

Created on ‎04-19-2023 12:12 AM Edited on ‎04-19-2023 12:16 AM

Good morning


Thank you for your reply.


I have already seen the documentation you are talking about but it does not relate to my problem.
The doc talks about a fragmentation concern for customers of the wifi terminal through a capwap tunel.

 

My problem is different, it's the terminal itself which no longer wants to fragment for some unknown reason.

 

as a reminder :
I try to ping the terminal from a pc on the same lan (connected by cable on the same switch)

 

example :

pc 192.168.1.10
fortiAP 192.168.1.11

from pc: ping -s 1800 192.168.1.11 -> ok
then, for no reason, this same command no longer passes.
on the other hand ping 192.168.1.11 remains ok.

after rebooting the terminal, the ping -s 1800 192.168.1.11 again OK

 

 

2449
jirikovoego
New Contributor II

Created on ‎02-02-2024 12:03 PM

Hi @cclg_support. I have exactly same issue. Did handle it?

1983
0 Kudos
ebilcari
Staff
Staff
In response to jirikovoego

Created on ‎02-04-2024 05:48 AM

Do you also have MPLS in your network between the AP and the FGT, is the management or the user's traffic that gets affected and are you using bridge or tunnel SSID?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1967
jirikovoego
New Contributor II
In response to ebilcari

Created on ‎02-04-2024 09:16 AM

No. It's FortiAP (221E) -> POE Switch -> FortiGate. After some time, access point (not all of them in one time) stop fragment packets. I can't ping e.g. gateway (Fortigate) with -l 1500.

Quick solution is rebooting affected AP, but you can't do this every few days.

It's a capwap, tunnel mode, all SSIDs are affected.

1953
0 Kudos
jirikovoego
New Contributor II
In response to jirikovoego

Created on ‎05-01-2024 01:17 AM

Any updates from anyone?

1677
0 Kudos
ebilcari
Staff
Staff
In response to jirikovoego

Created on ‎05-01-2024 01:25 AM

Have you tried to manually configure the MTU value to 1500 or 576 or overriding the fragmentation as suggested in the guide?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1674
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.