Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sanderl
New Contributor III

No reliable connection with hardware lan switch and bridged ssid

Ok hold on, this is going to be hard to believe and to describe. I have troubleshooted a lot and cannot find out where the problem lies. Suddenly I had this vague problems, of sites not loading, DNS not resolving, etc. Maybe related to upgrading to 7.0.10 or 7.0.11. Maybe not.

 

What does not work (but had always worked like this - for years):

  • I have a (existing) hardware switch "lan" with an SSID bridged to that (no VLANs).
  • The IP address is on the lan switch and the SSID is bridged.
  • Created a new test policy, top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox (don't ask - this is a prio 1 for days now) it does not load any game.

 

What does work:

  • I have created a (new) test vlan (99) with an IP address on it, and a test SSID bridged to that vlan (99), connected to the lan switch as my FortiAPs reside there.
  • Created a new test policy, under the top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox it does load games.

EDIT: Roblox is "the" way of proving/testing above. As described a lot more is not working smoothly, but a refresh of the page will do. Roblox seems to be a lot more  "picky" in the coneection stability.

 

Both "networks" are giving out the same DNS servers.

I have 6 VLANS connected via the lan hardware switch which all work(ed) well for years. Of which 3 have an IP adress on the VLAN interface and 3 are connected in a software switch with a port.

--> this can also be a separate topic because since this week I discovered the Fortigate does not allow me to select a VLAN anymore as a member of a softwareswitch (!), but this used to work and still works. Nothing to find in any release notes...

 

I cannot find any mentioning of any change in behavior. Also I have no active subscription on this device (81E) and thus cannot call support.

 

Is there anything I can do to (more) narrow down this issue?

62 REPLIES 62
gfleming

Could it be some of the ports on your FortiGate have gone bad?

 

Can you try and allocate different physical ports to your existing hw switch and see if that fixes things? You shouldn't have to make huge config changes/worry about references with that.

 

Also what model FortiGate is this?

Cheers,
Graham
sanderl
New Contributor III

I doubt. Bot "lan" (normal bridged ssid) and tesst99 ssid end up via the same switch, APs and uplink to fortigate...

 

Fortigate 81E

gfleming

What are connected to the two ports of your LAN hw switch?

 

Also, have you tried just creating a new SSID on the FortiAP in parallel with the existing SSID on the existing LAN hw switch? This would possibly rule out the switch vs fortigate vs ap as the problem.

Cheers,
Graham
sanderl
New Contributor III

1 netgear unmanaged poe switch and 1 esxihost is connected to 2 ports of the hw lan witch. The fortiaps are conencted to the poe switch.

 

I have tried indeed to create an ssid (test99) beside the normal ssid. Please reread the thread :-).

 

I will try to capture.

 

In the meantime I am transistioning to netgear managed switches to be able to use vlans and vlan access ports. But that is just to drift away from the original problem.

Again, this always worked, did not change and suddenly after 99% fortios 7.0.10 or 11 upgrade appeared...

gfleming

Please remember a lot of us are reading and responding to multiple threads and issues. It might be easier for you to repeat info if we are asking questions that have already been answered. In this case I did in fact read through the thread to review the info at hand and I can't see that you have in fact tried what I'm asking you to try.

 

All I'm asking you to do is create a new SSID with the exact same configuration (except for the SSID name of course) and have it broadcast out the same AP that is broadcasting the current SSID that causes issues.

 

What you've tried already is creating a new VLAN, new network, etc. 

 

Just create a new SSID and put it on the AP next to the current one that doesn't work. Do not use any new VLANs or anything.

Cheers,
Graham
sanderl
New Contributor III

Hi Graham, sorry if I offended in any way by skingto re-read. It was not meant to be. I just do not want to introduce extra uncertainty.

 

What you have asked, to create an extra ssid, I also tried, it was test98 and it was also directly bridged to the "lan" switch. It had the same problem. (hence the lan hw switch).

 

What I have now is I have created a new hardwareswitch (HW-Switch) and I am in the process of moving everything to that new one via VLANs.

Indeed I introduced 2 new vlan capable switches and I have converted all config (interfaces) into VLANs. But this is quite a complex process (referecnes, DHCP scopes, int naming, etc.)... I am now so far that I am ready to change the config via CLI to reconfigure the VLANs connected to the "lan" hw switch to the new hw switch (and rename them).

 

Nevertheless, at this moment I still have the troubles on the bridged SSIDs to the lan switch (no vlan) which does not allow me (my kids) to start roblox on (and other vague connection problems).

I have now 2 packet captures as requested:

1 for trouble connection via lan hw switch 9bridge to vlan "0"

1 for successful connection via new hw switch and vlan 99 (bridge to vlan 99).

How can I attach those?

 

Extra information:

Years ago, might be on FOS6.2 or 6.4 (maybe even 6.0) I had to connect ssid's with VLANs in a softwareswitch. That worked for years, but recently I discovered this option was magically disappeared from the GUI and even in the CLI! All worked fine but I was not able to (re)create that anymore. Hence if I accidentally deleted it, I could not recreate it. That is why I started to build over to using VLAN interfaces and bridge ssids to a vlan and use vlan capable switches...

(fortinet helps the economy let's say).

 

Untitled.png

gfleming

You absolutely can still bridge SSIDs to a software switch: https://docs.fortinet.com/document/fortiap/7.2.4/fortiwifi-and-fortiap-configuration-guide/478021/wi...

 

Why you would in your case doesn't make sense to me. You have VLAN-capable switches, just bridge the SSID to the VLAN natively at the swithc port.

 

If moving everything to a new HW Switch is working then are you still doubting one of your FortiGate's physical ports being bad?

 

You can upload PCAP files to any online storage provider and create a sharing link?

Cheers,
Graham
sanderl
New Contributor III

Sorry, I had to be more specific. I used tunneled SSIDs for years.

 

Those cannot be bridged anymore. I will upload pcap files asap.

sanderl
New Contributor III

Here you go sir:

 

https://file.io/1cBKGDtO408C

gfleming

test99.root.1.pcap shows no TLS sessions to any roblox servers. lan.root.1.pcap shows a bunch of TLS sessions.

 

Are you sure you captured a working, new session to Roblox while capturing on test99?

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors