Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sanderl
New Contributor III

Created on ‎03-30-2023 10:00 AM Edited on ‎04-02-2023 11:41 PM

No reliable connection with hardware lan switch and bridged ssid

Ok hold on, this is going to be hard to believe and to describe. I have troubleshooted a lot and cannot find out where the problem lies. Suddenly I had this vague problems, of sites not loading, DNS not resolving, etc. Maybe related to upgrading to 7.0.10 or 7.0.11. Maybe not.

 

What does not work (but had always worked like this - for years):

  • I have a (existing) hardware switch "lan" with an SSID bridged to that (no VLANs).
  • The IP address is on the lan switch and the SSID is bridged.
  • Created a new test policy, top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox (don't ask - this is a prio 1 for days now) it does not load any game.

 

What does work:

  • I have created a (new) test vlan (99) with an IP address on it, and a test SSID bridged to that vlan (99), connected to the lan switch as my FortiAPs reside there.
  • Created a new test policy, under the top placed any/any allow, no filtering, NAT to internet.
  • When I connect a mobile to this SSID and start roblox it does load games.

EDIT: Roblox is "the" way of proving/testing above. As described a lot more is not working smoothly, but a refresh of the page will do. Roblox seems to be a lot more  "picky" in the coneection stability.

 

Both "networks" are giving out the same DNS servers.

I have 6 VLANS connected via the lan hardware switch which all work(ed) well for years. Of which 3 have an IP adress on the VLAN interface and 3 are connected in a software switch with a port.

--> this can also be a separate topic because since this week I discovered the Fortigate does not allow me to select a VLAN anymore as a member of a softwareswitch (!), but this used to work and still works. Nothing to find in any release notes...

 

I cannot find any mentioning of any change in behavior. Also I have no active subscription on this device (81E) and thus cannot call support.

 

Is there anything I can do to (more) narrow down this issue?

5143
0 Kudos
62 REPLIES 62
sanderl
New Contributor III

Created on ‎04-17-2023 11:34 AM Edited on ‎04-17-2023 11:36 AM

See this post where the IOT ssid (tunneled!) is also bridged connected to a port via a softwareswitch:

https://community.fortinet.com/t5/Support-Forum/Bridging-SSID-via-VLANs/m-p/209561

 

This is not possible via the GUI or CLI anymore (in 7.0.11), only a bridge ssid can be connected now - hence I am rebuilding my config to VLANs on the FG and the FAP and ditching the software switches.

694
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎04-18-2023 09:43 AM

So I spun up a FortiGate in my lab running 7.0.10. Even 6.4 I tried for good measure. And I was unable to bridge a Tunnel-mode SSID into a software switch. So I have no idea how you had this working in 7.0.10......


Either way, it makes more sense to me that you just convert your SSIDs to bridge mode and then you can bridge them however you want.

Cheers,
Graham
676
0 Kudos
sanderl
New Contributor III
In response to gfleming

Created on ‎04-18-2023 11:19 AM Edited on ‎04-18-2023 11:21 AM

I had it running for years... Was the lab a physical device? 60E 81E?

And have you seen the screenshots on the other topic. Exactly that.

 

my problem is not thát, let's not focus on that. The problem is that a standard SSID which "drops" the traffic on the lan switch (softwareswitch) on the fortigate does not work ok anymore since 7.0.11. when reverting back to 7.0.10 and up to 7.0.10 it works like a charm. And Roblox is the app with which I can consistently check/troubleshoot this behavior.

 

--- Either way, it makes more sense to me that you just convert your SSIDs to bridge mode and then you can bridge them however you want.---

As described, that is what I have done between 7.0.10 an 7.0.11 but is NOT the topic of this forum topic :)

673
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎04-18-2023 11:36 AM

Alright well all I can say is it doesn't work for me either and I have non idea why or how it stopped for you by going from 7.0.10 to 7.0.11 or why it seems to work for the other guy on 7.2. That would be a great question for TAC to dig into but unfortunately you do not have access to TAC.

 

Sounds like you have a solution now and you are working on fixing it. Good luck!

Cheers,
Graham
671
0 Kudos
sanderl
New Contributor III
In response to gfleming

Created on ‎04-18-2023 11:40 AM

??? Now you are focussing again on that softwareswitch. That is NOT the issue. The issue is... never mind.

 

Thanks for the luck, it seems that is the only thing my fortigate needs...

 

(ps. thanks for your time as well)

670
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎04-18-2023 11:45 AM

Well now you've got me thoroughly confused. You have brought up the inability to use software switch bridging multiple times. Sounds like an issue to me.


But you also mention you are staying on 7.0.11 and converting to hardware switch with bridge SSIDs and I thought this was working for you?

 

I also understand you are in the middle of migrating everything to a single HW switch and having your downstream Netgear switches tied back into this unified interface. Why don't you complete this migration and see how network is behaving...

 

 

Cheers,
Graham
669
0 Kudos
sanderl
New Contributor III

Created on ‎05-01-2023 06:23 AM

So... today it was the big migration day. All converted to 1 HW Switch with VLANs and all SSIDs bridged. Makes the config more clear and consistent. It was a big hassle to get all VLAN config in the Netgears, whoever though of that interface must have been smoking something :-).

 

Quickly recap the situation before.

 

I came from a long road in terms of versions and config. All worked well for years when I was using software switches and by that means bridged tunneled (!) ssids to a softwareswitch combined with a hardware port. A dumb switch connected to such a switch would pass all traffic including tagged and untagged traffic.

This was up until 7.0.10 very successful. When I upgrade to 7.0.11 problems started. At first it was not very clear, random white pages, slow loading, games not starting, etc. The best way to test was by starting a Roblox game. This would always fail in 7.0.11. Downgrading to 7.0.10 and it always was successful.

Because I needed to do some and the "softwareswitch combination" was not accepted by the GUI and CLI anymore, I converted all networks to VLANs and created a new hardware switch (HW-Switch).

 

That's all in this novel topic.

 

Instantly when downgrading to 7.0.10 all problems were gone!

 

But now I have created the new setup I still have the same problems. Starting roblox on the SSID bridged to the LAN VLAN (10) is not able to start, Starting Roblox on the test99 SSID VLAN (99) is starts. Always, no exception.

 

Below the relevant configs. and attached the gui.

fg1.pngfg2.png

 

Config:

edit "HW-Switch"
        set vdom "root"
        set ip 192.168.253.1 255.255.255.0
        set allowaccess ping https ssh http
        set type hard-switch
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 48
    next
edit "test99ssid"
        set vdom "root"
        set type vap-switch
        set alias "b"
        set role lan
        set snmp-index 45
    next
    edit "HS-VLAN-LAN"
        set vdom "root"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https ssh http
        set device-identification enable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 49
        set interface "HW-Switch"
        set vlanid 10
    next
    edit "test99"
        set vdom "root"
        set ip 192.168.99.1 255.255.255.0
        set allowaccess ping https ssh http
        set role lan
        set snmp-index 14
        set interface "HW-Switch"
        set vlanid 99
    next


config system virtual-switch
    edit "HW-Switch"
        set physical-switch "sw0"
        config port
            edit "port7"
            next
            edit "port9"
            next
            edit "port10"
            next
            edit "port11"
            next
            edit "port12"
            next
        end
    next
end
629
0 Kudos
sanderl
New Contributor III

Created on ‎05-01-2023 02:23 PM Edited on ‎05-01-2023 02:30 PM

2nd try. Wrote a long story but seems it did not save on the forum.

 

today I had a busy day. Migrated all to 1 HW-Switch. All is "functional" now. But you don't believe it. The problem persists. Roblox does work in vlan99 (ssid test99) but not in vlan10... (LAN VLAN)

 

Quick recap:

I did not have any problems until 7.0.10. It started in 7.0.11. When downgrading to 7.0.10 problems were gone. I had to upgrade to 7.0.11 due to the usage of sslvpn.

I did us software switches combining hardware ports and tunneled ssids. Now all segments are VLANs on 1 hardware switch.

 

Some info from now:

fg1.pngfg2.png

 

The config:

edit "HW-Switch"
        set vdom "root"
        set ip 192.168.253.1 255.255.255.0
        set allowaccess ping https ssh http
        set type hard-switch
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 48
    next
edit "test99ssid"
        set vdom "root"
        set type vap-switch
        set alias "b"
        set role lan
        set snmp-index 45
    next
    edit "HS-VLAN-LAN"
        set vdom "root"
        set ip 192.168.1.254 255.255.255.0
        set allowaccess ping https ssh http
        set device-identification enable
        set monitor-bandwidth enable
        set role lan
        set snmp-index 49
        set interface "HW-Switch"
        set vlanid 10
    next
edit "test99"
        set vdom "root"
        set ip 192.168.99.1 255.255.255.0
        set allowaccess ping https ssh http
        set role lan
        set snmp-index 14
        set interface "HW-Switch"
        set vlanid 99
    next
    edit "WiFi5G"
        set vdom "root"
        set type vap-switch
        set alias "b"
        set role lan
        set snmp-index 19
    next


config system virtual-switch
    edit "HW-Switch"
        set physical-switch "sw0"
        config port
            edit "port7"
            next
            edit "port9"
            next
            edit "port10"
            next
            edit "port11"
            next
            edit "port12"
            next
        end
    next
end

On the top of the policies there are 2 identical policies allowing vlan 99 and vlan 10 full to the internet...

 

Again: This problem was not there in 7.0.10 (!) Although now the situation is a little different.

635
0 Kudos
gfleming
Staff
Staff
In response to sanderl

Created on ‎05-03-2023 12:01 PM

At this point you need someone to help you phsycially to actively be looking at the device and the network and doing a proper diagnosis. I think you've exhausted the usefulness of an internet forum at this point.

 

With that in mind, given everything works on 7.0.10 I would suggest perhaps you are encountering a bug in 7.0.11. It's the only explanation I have at this point.

 

So, why not stay on 7.0.10?

 

Also why not simplify your deployment and use bridged SSIDs?

Cheers,
Graham
614
0 Kudos
sanderl
New Contributor III
In response to gfleming

Created on ‎05-03-2023 12:58 PM

All SSIDs are bridged...

612
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.