Endpoint gets IP but doesn’t work

mrodryguez · ‎12-30-2017

I have a scenario with a Fortigate 500d as Wireless Controller working with FortiAP 223c. I have a profile with 20MHz for 2,4GHz and 80MHz for 5GHz. More than 50% of the clients work fine, but some gets an IP, but can’t even ping its gateway. Some is working well, but suddenly stops navigating. In my tests, most os the endpoints with this problem was linux and iPhone, but sometimes it happens also with Wiindows. I have the same SSID for 2 and 5 frequencies. Can someone please help me!?!?

Sidewaysguy · ‎12-31-2017

Hi there,

Can you post the details of the wireless profile that you are using?

Cheers,

Sidewaysguy

mrodryguez · ‎12-31-2017

Sidewaysguy,

Thanks for your fast reply! Follow below as your request:

Radio 1 mode -> Access Point radio resource provision -> enable client load balancing -> Frequency Handoff band -> 2.4 n/g channel width -> 20MHz short guard interval -> enable channels -> 1,6,11 tx power control -> manual 100% ssids -> manual no location based services

****************************************

Radio 2 mode -> Access Point radio resource provision -> enable client load balancing -> Frequency Handoff band -> 5 ac/n/a channel width -> 80MHz short guard interval -> enable channels -> 36,40,44,48,149,153,157,161 tx power control -> manual 100% ssids -> manual no location based services

****************************************

AP configuration

Radio 1

WTP mode -> normal

Band -> 2.4 n

channel -> 6

tx power control -> auto

Radio 2

Band -> 5 ac/n

channel -> 149,153,157.161

tx power control -> auto

I have 2 SSIDs that is used in both frequencies. One for corporate and other for guest. Corporate as bridge, with wpa2 enterprise and radius. Guest as tunnel, with wpa personal and fortigate as dhcp server. I don't have problems with Corporate, only with guest.

Thanks in advance!

Marcelo

Sidewaysguy · ‎12-31-2017

Hey Marcelo,

I'm not sure what the physical coverage is like, but i'm wondering if tx power range may be too low on the bottom end? In the WiFi Health Monitor, do you see the devices connected but just not passing traffic? Can you ping them from the firewall? Also which firmware are you on for the Fortigate and APs?

Cheers,

Sidewaysguy

mrodryguez · ‎12-31-2017

I think it is not a coverage problem. It worked for one hour with my iphone, with signal at highest level. I don’t all the information right now, but i will share it you asap. I upgraded the AP to the newest firmware version. I will try a ping from firewall.. The weirdest thing for me is a endpoint stops working, but appears to me as associated in controller..

Sidewaysguy · ‎12-31-2017

Also note if you are on 2.4 or 5GHz, as i've had issues with 2.4 interference showing similar symptoms. If you have decent coverage going 5 GHz may be an option to try, unless you are close to exceeding the number of allowed devices per radio and/or you have a specific 2.4 Ghz requirement.

Toshi_Esumi · ‎01-01-2018

It's very difficult to pin-point the cause if it comes to seemingly random wifi drops. That's why we opened a TT with TAC to get some help. In our case, we have multiple vendor environment within our office and many other rogue APs in our building. Turned out to be another vendor AP's WIPS feature, which I was tesing, was deauthenticating some specific client devices from connecting to FortiAP's SSID. The devices connect to external public SSIDs as well, which caused to be labelled as "misbehaving authorized clients". Your case sounds different but I just wanted to mention about a possibility.

mrodryguez · ‎01-04-2018

Hi Toshi and Sideway, hope you are doing well!

My fortigate firmware is v5.6.3 build1547 (GA). I can't ping the devices from firewall and i can see the device at health monitor, with no traffic.

I understood the moment the problem happens for my device(iphone) and i will investigate if it is similar for others employees having the same problem. In my case, i noticed that when i go outside the room as i have the AP, it moves from 5G to 2,4G and looses connectivity. I can see at the health monitor that the device goes from channel 36 to 11. As i told you, i have the same name "ssid" for both frequencies and i can't understand why iphone can treat it. The next test that i will do is reduce the beacon time and client iddle time,, in order client can stay more time without roaming the connection. What do you think?

Thanks in advance!

Toshi_Esumi · ‎01-04-2018

If you're suspecting signal reception, you need to use an analyzing tool (I use Acrylic on win10 laptop) to see what kind of signal level the client is getting at those spots while you roam around. FortiGate/AP can tell you only AP side of reception level. That's only a half of the connection. Depending on the area size and obstacles in the area, you might need to add more APs. 5GHz radio can be weakened easily by walls, doors, windows, pillars, and ducts on the ceiling, etc. than 2.4GHz, while 2.4GHz is more crowded by neighbors due to smaller number of channels than 5GHz.

Sidewaysguy · ‎01-04-2018

Hey there,

How many APs do you have (I forgot to ask earlier)? As well, do you have any tools on your phone/laptop that you can use to see how your signal strength when walking around in the environment? Do you see a lot of interfering AP's on the Fortigate?

You mentioned walking out of the room where an AP is located, structure can also cause interference with the signal. Devices like your iPhone will always try to maintain a signal no matter. A simple test that you can do would be to remove the SSID from the 2.4GHz radio in the profile. If you don't want to test with the production SSID, create a new SSID and add it to the 5GHz in the FortiAP profile and create a basic policy for internet access for it to test with. See what your signal strength is as you move through the environment and if you lose connectivity.

To dive deeper into your config, you may want to start a ticket with TAC as they will help troubleshoot directly.

Cheers,

Jared