I've been facing a lot of connection and roaming issues on the network, clients were losing authentication, VoIP phones were losing IP address and Guests had to re-authenticate on CP. All these problems were treated in separate but after a few tests on the network, it seems like we've found a reason for the issue.
The fact is that the disconnections were occurring in specific IAP transitions (L2 Roaming), and we've noticed that these IAPs weren't in the same switch. So basically when we do roaming on IAPs that lay on the same switch everything seems fine but when they change to an IAP on another switch (even on the same cluster) the device loses connection. This is happening with all of the devices on the network which is also the cause of the other failures.
We are using Fortinet Fortiswitches managed by Fortigate, and speaking with the Fortinet reseller it seems like the switch has to receive the clients IP, not the APs MAC in order to complete roaming outside the switch.
It seems like it has something to do with the IAP Bridge Mode, is that correct? I should consider moving the entire network to Mesh for this to work? Are there any changes that could be made on both sides?
Thank you all.
A few helpful pieces of information:
IAP MODELS: 303, 305, 365
IAP SW VERSION: 18.104.22.168
AIRWAVE SW VERSION: 22.214.171.124
CLEARPASS SOFTWARE VERSION: 6.7.5
FORTISWITCH MODELS: FortiSwitch 424D-FPOE
FORTIGATE MODELS: FortiGate 600D
Make sure that all of the VLANs are trunked to all switches. If two switches are connected, they must be connected by a trunk that includes all of your Layer 2 LANs.
Agree with Colin, I was going to ask if the user SSIDs are on their own VLAN (which would be trunked on the switch) separate from the AP IP VLAN. If the user VLANs are not trunked, even though the APs are still L2 adjacent, that's like due to the user VLANs not being trunked and carried between all the switches.
Since the Fortigate is managing your FortiSwitch, do you have a security profile that is authenticating users/devices on the switch ports where the IAPs are connected?
The management model (at least in FortiOS 5.6, I haven't personally tried 6.0) hides a good bit of information between the FortiGate and FortiSwitch. Since your reseller also mentioned the user visibility because the IAP is bridging locally rather than tunneling to a controller, that may be playing a role in the roaming problems from switch to switch.
Thanks for the replies.Configuration regarding VLANs seems fine, and all the Clients VLANs, and also the IAPs VLANs are tagged in the trunks.
Charlie, could you be more specific when you say "security profile"? Do you mean 802.1X?
This was caused by a software switch on the FortiGate not updating ARP tables until the old entry expired and had nothing to do with Aruba instant or HPE/Aruba switches in our instance, FWIW. The trick was to move to a hardware switch on the FortiGate.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.