Remote AP's Bridge to SSID Issues

xkalib3r · ‎10-16-2015

Hi All

I have been battling this issue for a few months now, and so far have not had any joy (Even from Fortinet Support)

Basically we have a client with a 200B HA cluster at their data-center. Said client then has several small remote branches (2 to 3 devices max) which make use of FortiAP 14C's to connect to the corporate network.

Essentially each remote site has it's own unique SSID and IP range. The AP/AP Profile is then set to bride the 14c LAN ports to the SSID - This allows desktops, phones etc to access the corporate network as well as internet breakout via the Datacenter with various policies and UTM features applied.

The 14C's are connected to an ADSL router and have the controller (Fortigate) public IP statically set in the AC discovery.

So... The above works amazingly well... When it works...

The problem we have is that out of the blue, devices at the remote sites loose connection to the corporate network and internet. Internally (At the remote sites) devices can still talk to each other - For example, a user can still print to a network printer. Basically all comms out of the remote site stop.

When this happens, the FortiAP is still online. I can even see it as well as the devices connected to it on the Fortigate. There are no error logs that I can see.

After loads of backwards and forwardsing with Fortinet, we were advised to upgrade the Fortigate to v5.2.4 and the AP's (Downgraded) to 5.0.10. We did this and had no issues for about a week... Now the problem is back.

Now for the extra strange part. Sometimes a reboot of the AP gets the site back up. Sometimes not. Most times, if I override the AP profile with the exact same settings, the site comes back online. Sometimes this is done in reverse and again the site comes back online.

Another odd thing here is that DNS seems to stay working. When doing a diag debug flow on the Fortigate, DNS traffic still goes through - This was confirmed by trying to ping devices on the corporate network - While they did not reply to pings, DNS did resolve.

I have completely run out of ideas, and our client is of course a sad panda... We have replaced several of the AP's as well as they were initially thought to be faulty.

Any advise would be greatly appreciated!

Regards

FCNSA

FCNSP

FCWS

NSE5

NSE7

tginsburg · ‎12-16-2015

We are having a similar situation here. The FortiAP 14C at the remote site conks out after a week or two - not pingable, but still can see it in the Fortigate. When the agency contacts me, I go into the FortiAP 14C profile, turn off bridging, then rebridge to the SSID. That fixes it for a week or two.

Support gave me an RMA to return our first device, but we got CDW-G to swap. Didn't matter as same issue occurs with new device. We have the Fortigate on 5.2.4 and FortiAP 14C on 5.2.4 as well. Looking at release notes for 5.2.5 for Fortigate, but no mention of a fix. We are thinking about getting a FortiAP 28C to test with, but it costs six times more than the 14C. Sigh....

xkalib3r · ‎01-26-2016

Hi Tginsburg

I just wanted to find out if you perhaps got any further with this?

We made a few changes which seemed to be working great, but this week, the AP's have been acting up again.

Basically, we set the following under the WTP-Profile:

set tun-mtu-uplink 1500 set tun-mtu-downlink 1500

This stabilized most of our remote sites, however there were two that still had an issue. Coincidentally, these sites are in the same building, but each use their own DSL line and router. This leads me to believe that the ADSL line stability is part of the problem.

As part of our testing, we swapped out one of the routers in the above mentioned sites with a Billion BiPAc B-7402x - After doing this, the issue went away completely!

Great we thought! So we ordered some new Billion routers for some of the other sites, all we could get at the time was the Billion Bipac-7800nx. With these new routers and the MTU changes, i've had several calls this week already saying that the sites are down. We then turn the bridging off and on as you mentioned and all is well again.

Really pulling my hair out on this issue, and we've had very little assistance from Fortinet either.

FCNSA

FCNSP

FCWS

NSE5

NSE7

tginsburg · ‎01-29-2016

Hi xkalib34,

No progress yet on this issue from our end. We've been testing w/ a FortiAP 25D, and it's been stable for 2 weeks now. Which in itself is no guarantee it won't have the same issue as the 14C; we went for more than a month w/o a drop at one point. We'll be deploying it a remote site next week, and hopefully will report back that it remained stable in a month or so. Stay tuned....

xkalib3r · ‎01-31-2016

Thanks for the update!

We tried the same thing (25D) at one of the sites - Unfortunately that only lasted a few days before having the same issue.

As far as I understand, the AP's create their own IPSEC tunnel back to the Fortigate, I'm certain the issue lies there somewhere, especially if the AP's are on DSL/not 100% stable connections.

I look forward to the update!

FCNSA

FCNSP

FCWS

NSE5

NSE7

tginsburg · ‎02-01-2016

Well, the 25D crapping out as well isn't good news.

Today was install day at our 2nd remote customer, who incidentally is starting off with a DSL line while awaiting their other internet circuit to be installed. We'll see how it goes. For now, I'm setting a ping monitor to each of the two sites so we'll be advised if the clients stop talking to use before the customer knows.