Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chechoSV
New Contributor

Created on ‎07-28-2023 10:14 AM

packet loss on SSID in bridge mode over vlans

Hello Everyone, i have a problems on 2 VLANS subinterfaces. 

packet loss on SSID in bridge mode 

 

I perceive problems when connecting to 2 SSIDs, with a machine with Windows 10 or 11 the AP authenticates the device and immediately when pinging the VLAN gateway it manages to respond without problems, but when I go out to other networks outside the VLAN, for example I perceive packet loss for example when pinging Google.

After a few minutes I start to get out of the internet and to other networks without any problem.

 

The funny thing is that this happens only in Windows, I have tried Android, IOS and Ubuntu.
When connecting to the AP with these OS I have no problems.

 

The problen running on Fortigate version 7.2.5

 

1. First, Windows Device is connected and the ping its OK to vlan gateway.

screen2.jpg

2. then I ping google, but it doesn't respond

screen 4 vending .jpg

3. after about 2 minutes google responds

 

screen4.jpg

 

this happens in 2 vlans, but in the others I don't have this problem

Labels:
1410
0 Kudos
7 REPLIES 7
knagaraju
Staff
Staff

Created on ‎07-30-2023 12:00 AM

Hello chechoSV,

Please take the flow debugs in fortigate cli during the time of the issue to isolate what is causing the issue.

diagnose debug reset
diagnose debug flow filter addr 8.8.8.8
diagnose debug flow filter proto 1
diagnose debug flow trace start 1000
diagnose debug enable


To disable the debugs please run
diagnose debug disable
diagnose debug reset

 

1342
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-30-2023 01:37 AM

If the ping from the host to the GW is always stable, than from a troubleshooting perspective the FAP and FSW is working properly.

From this behavior (2 min delay) it looks like the problem is on policy matching in FGT. Are you using FSSO groups in the firewall policies for these windows devices?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1329
0 Kudos
chechoSV
New Contributor
In response to ebilcari

Created on ‎07-31-2023 07:40 AM

Hello, good morning, if there are FSSO groups with policies for each group of users, however, checking the policies view, all users are matching with a policy that is above ALL TO ALL

 

My question is, does it affect that this policy is above all those that use FFSO and nobody is coinciding with those of FSSO

1293
0 Kudos
ebilcari
Staff
Staff
In response to chechoSV

Created on ‎08-01-2023 01:22 AM

More specific rules should be above, so for example if you have a rule with a FSSO group that should be above another rule that has subnets/addresses only. If FGT doesn't find the group for that user it will fall back to the other policy.

If FGT have a delay of listing the FSSO users, you may start to troubleshoot that part. At this point you have to isolate the problem, and find out if internet access is allowed only after FGT learns the user. The FSSO users can be checked from GUI:

FSSO.PNG

or from CLI:

GW # diag debug authd fsso list
----FSSO logons----
IP: 10.1.1.1 User: FORTINET Groups: CN=FORTINET,OU=USR,DC=EB,DC=EU

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1281
0 Kudos
chechoSV
New Contributor
In response to ebilcari

Created on ‎08-01-2023 08:01 AM

Hello, good morning, I want to show you the first screenshot, I was noticing that above the FSSO policies, there was a policy called ".Accesos-Temporales" and all the devices were passing through that policy.

 

0 bytes in FSSO Policies

policy_all_to_all.jpg

In the second screenshot, I modified that policy and now everyone is in their respective FSSO policy.

I want to validate with the client on site, how it is behaving with this change that I make.

 

fsso_run.jpg

1266
0 Kudos
ebilcari
Staff
Staff
In response to chechoSV

Created on ‎08-02-2023 12:22 AM

Most probably that rule was set to stay there temporarily until the FSSO was implemented. As a safe step you can move it at the bottom after the FSSO rules to monitor which users/IP will hit that rule. In this way you can t-shoot without affecting user's work.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1249
0 Kudos
Bjay_Prakash_Ghising
Contributor

Created on ‎07-30-2023 08:27 AM Edited on ‎07-30-2023 10:49 PM

 

Hi chechoSV

 

Please check the following:

1. Channel Consumption
Verify which radio channel the device is connected to (Form WiFi Client Tab) and its utilization (From Managed AP Tab). Because even if users have good signal strength but are connected to the most used channel then it will have heavy packet loss. It usually happens for 2.4 GHZ RF users.


As the channel carries the data throughput for the wireless users and If you encounter high channel usage either from high user count or high traffic from other users. It will eventually have high latency and packet loss for the end user.

 

To resolve the issue, try to give the least used channel, mostly 5 GHZ channels. It will provide high data throughput and better performance for the user.


2. Verify the links
Check each and every connected node and link that the wireless traffic traverses. If your ISP link is having packet loss then without a doubt the wireless user will suffer the packet loss.
(You can usually monitor the loss from the SD-WAN tab and link monitor if configured. If not, then define repeat count in execute ping option to monitor and analyze the traffic response.


Hope that helps,

Kind Regards,
Bijay Prakash Ghising

 

Ghising
Ghising
1315
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.