Need help to Connect 10 FortiAps to cisco Switch which is Connected to my Firewall Fortinet 100F

Tazio4436 · ‎03-31-2025

Hi,

I am trying on my own to figure out how to replace my existing Aps with FortiAps 431F. I am planning to replace all the Switches which are Cisco and some are HP in the short run but for now am just replacing the APs.

It is a live network and I am very cautious as each time I am trying something I am doing a backup.

I can see the SSID on my phone and laptop but I cannot connect.When I try to connect it shows connecting and then Couldn't get an IP address.

Can any one guide me where to start checking and what to check please.

Thanks

Tazio

Toshi_Esumi · ‎04-10-2025

That's very strange. Since you got the FAP on-line at the FGT I have to assume you must have set CAPWAP/Security fabric enabled on "Local_Lan" interface. Then when a wifi client tries connecting to the tunnel mode SSID:FORTINETSSID, it should send out DHCP request broadcast message, which should reach the SSID interface at the FGT over the CAPWAP tunnel. And that should show up in the sniffing.

In my set up, when I sniff against the FAP's management interface (in your case over "Local_Lan" I can sett the DHCP request inside of CAPWAP encapsulation like below since my FGT is running 7.4.7.

fg40f-utm (root) # diag sniffer packet fap 'host 172.17.105.2' 4 0 <-- fap is the managment interface and 172.17.105.2 is the FAP's IP

<snip>
110.989750 fap -- 172.17.105.1.5246 -> 172.17.105.2.5246: udp 76
110.995458 fap -- 172.17.105.2.5246 -> 172.17.105.1.5246: udp 65
111.092546 fap -- 172.17.105.2.49269 -> 172.17.105.1.5247: udp 110
               CAPWAP DATA :: -> ff02::1:ff8a:a996: icmp6: neighbor sol: who has fe80::f473:29ff:fe8a:a996
111.105648 fap -- 172.17.105.2.49269 -> 172.17.105.1.5247: udp 417
               CAPWAP DATA 0.0.0.0.68 -> 255.255.255.255.67: udp 351   <-- request
111.106955 fap -- 172.17.105.1.5247 -> 172.17.105.2.49269: udp 373
               CAPWAP DATA 192.168.5.1.67 -> 192.168.5.2.68: udp 315   <-- offer
111.110150 fap -- 172.17.105.1.5247 -> 172.17.105.2.49269: udp 88
               CAPWAP DATA 192.168.5.1 -> 192.168.5.2: icmp: echo reply
111.111847 fap -- 172.17.105.2.5246 -> 172.17.105.1.5246: udp 99
111.112097 fap -- 172.17.105.1.5246 -> 172.17.105.2.5246: udp 65
111.114150 fap -- 172.17.105.2.5246 -> 172.17.105.1.5246: udp 88

You're supposed to be able to see similar. If not, are you sure the client device can connect to another Wifi at a different place?

Toshi

Tazio4436 · ‎04-10-2025

Hi Toshi,

I am very sorry. I realized I din not send you the second reply earlier. I did get some output after sometimes.

Here they are:

PRIMARY # diag sniffer packet any 'udp and port 67' 4 0
interfaces=[any]
filters=[udp and port 67]
308.560279 port8 in 0.0.0.0.68 -> 255.255.255.255.67: udp 329
308.560283 Local_Lan in 0.0.0.0.68 -> 255.255.255.255.67: udp 329
308.560364 port9 in 0.0.0.0.68 -> 255.255.255.255.67: udp 329
308.561923 port9 in 10.21.68.1.67 -> 255.255.255.255.68: udp 320
308.561930 port8 in 10.21.68.1.67 -> 255.255.255.255.68: udp 320
308.561931 Local_Lan in 10.21.68.1.67 -> 255.255.255.255.68: udp 320

Thanks

Tazio

Toshi_Esumi · ‎04-11-2025

No. Those are DHCP requests directly to Local_Lan aggregated interface from wired devices, not over CAPWAP from wifi clients to FORTINETSSID interface. So your FGT is still not receiving DHCP requests from the clients.

As I showed before "fap221b" is my SSID interface while "fap" is a VLAN interface the FAP is connected to. You should see DHCP request to your SSID interface over CAPWAP as I showed in two sniffing result.

I would still suspect source side (client side) unless something is wrong on the FAP itself. But try sniffing on Local_Lan interface with your FAP's IP to make sure you have normal CAPWAP communication at UDP 5246, 5247 as I showed above. The command line would look like below:
diag sniffer packet Local_Lan 'port 5246 or port 5247' 4 0

Toshi

joshbergm · ‎04-11-2025

Hi,

Did you already try disabling the broadcast suppression option in the VAP (SSID) profile?
Broadcast suppression can block DHCP.

Tazio4436 · ‎04-11-2025

Hello,

I hope this is what you are telling me about.

Thanks

Tazio

joshbergm · ‎04-11-2025

Hi,

that’s indeed what I was talking about :)

let me know if it helps!

Tazio4436 · ‎04-11-2025

unfortunately it did not

Thanks

Tazio

jokes54321 · ‎04-11-2025

Are you testing with more than one client device? Could the WiFi adapter be configured for static, so it's not requesting an IP?

Tazio4436 · ‎04-15-2025

I tested with 2 different cellphone and 2 different laptops

Thanks

Tazio

Tazio4436 · ‎04-16-2025

Hi,

I am not sure if this small diagram will help understanding how the FAP is connected.

There is my FW 100F where the WAN comes in and 2 ports goes down stream to my Core SW which is a Cisco L3 SW. The core SW does all the DHCP for all my VLANs and the Core SW is connected to multiple Cisco SWs as Trunk. The FAP is connected to one of the Cisco SW for testing purposes. Note that all the Cisco SW will be removed later this year or next year.

Please see attached diagram. This is a simplified version of the actual network as we have 2 FW 100F stacked and the Core is also 2 stacked Cisco SW.

Any help step by step will be appreciated.

Thanks

Tazio

Need help to Connect 10 FortiAps to cisco Switch which is Connected to my Firewall Fortinet 100F

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website