Controllerless Networks

Reply
Occasional Contributor I

IAP L2 Roaming issue on Fortinet Network

Hi guys,

 

I've been facing a lot of connection and roaming issues on the network, clients were losing authentication, VoIP phones were losing IP address and Guests had to re-authenticate on CP. All these problems were treated in separate but after a few tests on the network, it seems like we've found a reason for the issue.

 

The fact is that the disconnections were occurring in specific IAP transitions (L2 Roaming), and we've noticed that these IAPs weren't in the same switch. So basically when we do roaming on IAPs that lay on the same switch everything seems fine but when they change to an IAP on another switch (even on the same cluster) the device loses connection. This is happening with all of the devices on the network which is also the cause of the other failures.

 

We are using Fortinet Fortiswitches managed by Fortigate, and speaking with the Fortinet reseller it seems like the switch has to receive the clients IP, not the APs MAC in order to complete roaming outside the switch.

It seems like it has something to do with the IAP Bridge Mode, is that correct? I should consider moving the entire network to Mesh for this to work? Are there any changes that could be made on both sides?

 

Thank you all.


A few helpful pieces of information:

IAP MODELS: 303, 305, 365

IAP SW VERSION: 8.3.0.0

AIRWAVE SW VERSION: 8.7.2.1

CLEARPASS SOFTWARE VERSION: 6.7.5

 

FORTISWITCH MODELS: FortiSwitch 424D-FPOE

FORTIGATE MODELS: FortiGate 600D

 

 

Guru Elite

Re: IAP L2 Roaming issue on Fortinet Network

Make sure that all of the VLANs are trunked to all switches.  If two switches are connected, they must be connected by a trunk that includes all of your Layer 2 LANs.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: IAP L2 Roaming issue on Fortinet Network

Agree with Colin, I was going to ask if the user SSIDs are on their own VLAN (which would be trunked on the switch) separate from the AP IP VLAN. If the user VLANs are not trunked, even though the APs are still L2 adjacent, that's like due to the user VLANs not being trunked and carried between all the switches.


Jerrod Howard
Distinguished Technologist, TME

Re: IAP L2 Roaming issue on Fortinet Network

Since the Fortigate is managing your FortiSwitch, do you have a security profile that is authenticating users/devices on the switch ports where the IAPs are connected?

 

The management model (at least in FortiOS 5.6, I haven't personally tried 6.0) hides a good bit of information between the FortiGate and FortiSwitch. Since your reseller also mentioned the user visibility because the IAP is bridging locally rather than tunneling to a controller, that may be playing a role in the roaming problems from switch to switch.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: IAP L2 Roaming issue on Fortinet Network

Hi all,

 

Thanks for the replies.

Configuration regarding VLANs seems fine, and all the Clients VLANs, and also the IAPs VLANs are tagged in the trunks.

 

Charlie, could you be more specific when you say "security profile"? Do you mean 802.1X?

 

Br,

Re: IAP L2 Roaming issue on Fortinet Network

Correct. The switchport could be configured to do 802.1X or Mac-auth. It does not sound like 802.1X is in place because users can roam across APs on a single switch.

Since the switches are managed by FortiGate, do all switch ports show the same port configuration on the Gate? Taking a step back, what are the expected VLAN(s) that should be in use? The Instant AP will have one VLAN used for management, are wireless users also dropped into this VLAN, or are they tagged into different VLAN(s)?

The FortiGate should handle the plumbing for making sure that user VLANs are present on any access switch where they are needed, but it’s possible either that’s not happening or there’s a config problem. Do you have a topology map that shows how the fortiswitches are connected back to the FortiGate?

Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: