Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sanderl
New Contributor III

Created on ‎03-30-2023 10:00 AM Edited on ‎04-02-2023 11:41 PM

No reliable connection with hardware lan switch and bridged ssid

Ok hold on, this is going to be hard to believe and to describe. I have troubleshooted a lot and cannot find out where the problem lies. Suddenly I had this vague problems, of sites not loading, DNS not resolving, etc. Maybe related to upgrading to 7.0.10 or 7.0.11. Maybe not.

 

What does not work (but had always worked like this - for years):

  • I have a (existing) hardware switch "lan" with an SSID bridged to that (no VLANs).
  • The IP address is on the lan switch and the SSID is bridged.
  • Created a new test policy, top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox (don't ask - this is a prio 1 for days now) it does not load any game.

 

What does work:

  • I have created a (new) test vlan (99) with an IP address on it, and a test SSID bridged to that vlan (99), connected to the lan switch as my FortiAPs reside there.
  • Created a new test policy, under the top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox it does load games.

EDIT: Roblox is "the" way of proving/testing above. As described a lot more is not working smoothly, but a refresh of the page will do. Roblox seems to be a lot more  "picky" in the coneection stability.

 

Both "networks" are giving out the same DNS servers.

I have 6 VLANS connected via the lan hardware switch which all work(ed) well for years. Of which 3 have an IP adress on the VLAN interface and 3 are connected in a software switch with a port.

--> this can also be a separate topic because since this week I discovered the Fortigate does not allow me to select a VLAN anymore as a member of a softwareswitch (!), but this used to work and still works. Nothing to find in any release notes...

 

I cannot find any mentioning of any change in behavior. Also I have no active subscription on this device (81E) and thus cannot call support.

 

Is there anything I can do to (more) narrow down this issue?

8109
0 Kudos
62 REPLIES 62
sanderl
New Contributor III

Created on ‎03-31-2023 05:54 AM

Some extra information added. 2 files of traces. 

 

Trace Logging (failing):

dpaste/a8SOU (Python)

phone (192.168.1.175) connected to lan hardware switch failing to start roblox (DNS servers are on same subnet as phone).

 

Trace Logging (succesfull):

dpaste/kcoba (Python)

phone (192.168.99.2) connected to vlan99 succeeding to start robox. (DNS servers on lan, thus extra DNS traffic appended).

 

I really hope on any help :-).

1717
0 Kudos
gfleming
Staff
Staff

Created on ‎03-31-2023 10:40 AM

Can you try disabling NPU offloading for the non-working policy/policies?

https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/328620/config-firewall-policy

 

set auto-asic-offload disable

Cheers,
Graham
1709
sanderl
New Contributor III
In response to gfleming

Created on ‎03-31-2023 01:33 PM Edited on ‎03-31-2023 01:48 PM

Hi Graham, thank you for taking the time to look into my issue. I will look into your suggestion.

 

I do have a question about that. Why do you think it is the "policy"? Because I have created a new "simple" policy which has the same behavior as the existing policy.

 

to be clear:

on the lan hardwareswitch an any any allow to internet is enabled which does not alllow roblox to work.

on the vlan the same policy is in which does allow roblox to work.

 
EDIT: Tried you suggestion on the "faulty" policy 42. No change in behavior.
 
I do run 7.0.11, the documentation does to 7.2.4 and when selecting 7.0.11 it changes to local in policy...?
 

policy.png

1707
0 Kudos
sanderl
New Contributor III

Created on ‎03-31-2023 01:46 PM Edited on ‎03-31-2023 11:40 PM

Additional information.

 

I created a new (empty) hardwareswitch (hsw10) with port 10.

Connected a fortiap to port 10.

bridged an ssid to it.

added a new subnet on hsw10.

Added policy to internet.

Roblox works...

 

I have checked all settings of the network, compared all cli config.

There is really nothing to be seen that might play in here.

 

Any more help greatly appreciated. 

1707
0 Kudos
sanderl
New Contributor III

Created on ‎04-03-2023 06:01 AM

Sorry to chime in again. i could really use some help as most of my users are on lan (hardwareswitch) and all experience this unreliable traffic... wired / wireless (bridged). Please advise.

1656
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎04-03-2023 06:27 PM

If this is urgent I would suggest getting in touch with TAC.

 

Can you provide a screen shot of the interface configurations?

 

Can you also do a packet capture between a working connection and a non-working connection and upload those for analysis?

 

Cheers,
Graham
1651
0 Kudos
sanderl
New Contributor III

Created on ‎04-03-2023 11:45 PM Edited on ‎04-03-2023 11:47 PM

Hi Graham, thanks for helping out. I have no active subscription on this device so I would not be able to contact support right?

 

Attached screenshot:lan+hws.png

Some remarks about the screenshot:

same DNS server is no difference (now used google), tried some with LLDP on/off, currently the port 10 is not connected to the AP anymore

 

Packet capture is given here:

Trace Logging (failing):

https://dpaste.org/a8SOU

phone (192.168.1.175) connected to lan hardware switch failing to start roblox (DNS servers are on same subnet as phone).

 

Trace Logging (succesfull):

https://dpaste.org/kcoba

 

phone (192.168.99.2) connected to vlan99 succeeding to start robox. (DNS servers on lan, thus extra DNS traffic appended).

 

Or did you mean else?

1642
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎04-04-2023 08:29 AM

Yes I meant an actual packet capture like from Wireshark from the client itself.

 

Can you also show your SSID and bridge configurations?

Cheers,
Graham
1626
0 Kudos
sanderl
New Contributor III
In response to gfleming

Created on ‎04-04-2023 01:30 PM

When I have some more time I will capture.

 

Both ssids are on the same ap... of which the left is bridged directly on the lan switch (with an ip address and dhcp scope). the test99 is bridge into 99.

 

I had this running for around 3 years or so, on many FortiOS versions and just recently these vague problems started.

 

In the mean time, as I discovered a "newly" created hardwareswitch with an ssid bridge to that (with a new vlan) does work, I an now in the phase of migrating everything to a new harwareswitch and vlans.

 

It is a hassle due to the "refs" connected to everything and CLI is a too big risk to change...

 

so I would really hope to find out why this suddenly startedand is so clearly releated to my "old" hardwareswitch. --> it is not only wifi traffic having problems, also fixed (wired) devices connected directly to this hardwarswitch have vague conneciton problems.

 

Luckily Roblox is the most "picky" one with which I can easily prove something is wrong when conected to lan. And again, all is right on test99...

 

 

 

Attached but ssid configs:ssid.png

1623
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.