Controllerless Networks

last person joined: 23 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

IAP L2 Roaming issue on Fortinet Network

This thread has been viewed 16 times

  • 1.  IAP L2 Roaming issue on Fortinet Network

    Posted Mar 12, 2019 03:15 PM

    Hi guys,

     

    I've been facing a lot of connection and roaming issues on the network, clients were losing authentication, VoIP phones were losing IP address and Guests had to re-authenticate on CP. All these problems were treated in separate but after a few tests on the network, it seems like we've found a reason for the issue.

     

    The fact is that the disconnections were occurring in specific IAP transitions (L2 Roaming), and we've noticed that these IAPs weren't in the same switch. So basically when we do roaming on IAPs that lay on the same switch everything seems fine but when they change to an IAP on another switch (even on the same cluster) the device loses connection. This is happening with all of the devices on the network which is also the cause of the other failures.

     

    We are using Fortinet Fortiswitches managed by Fortigate, and speaking with the Fortinet reseller it seems like the switch has to receive the clients IP, not the APs MAC in order to complete roaming outside the switch.

    It seems like it has something to do with the IAP Bridge Mode, is that correct? I should consider moving the entire network to Mesh for this to work? Are there any changes that could be made on both sides?

     

    Thank you all.


    A few helpful pieces of information:

    IAP MODELS: 303, 305, 365

    IAP SW VERSION: 8.3.0.0

    AIRWAVE SW VERSION: 8.7.2.1

    CLEARPASS SOFTWARE VERSION: 6.7.5

     

    FORTISWITCH MODELS: FortiSwitch 424D-FPOE

    FORTIGATE MODELS: FortiGate 600D

     

     



  • 2.  RE: IAP L2 Roaming issue on Fortinet Network

    EMPLOYEE
    Posted Mar 12, 2019 04:00 PM

    Make sure that all of the VLANs are trunked to all switches.  If two switches are connected, they must be connected by a trunk that includes all of your Layer 2 LANs.



  • 3.  RE: IAP L2 Roaming issue on Fortinet Network

    EMPLOYEE
    Posted Mar 13, 2019 04:04 PM

    Agree with Colin, I was going to ask if the user SSIDs are on their own VLAN (which would be trunked on the switch) separate from the AP IP VLAN. If the user VLANs are not trunked, even though the APs are still L2 adjacent, that's like due to the user VLANs not being trunked and carried between all the switches.



  • 4.  RE: IAP L2 Roaming issue on Fortinet Network

    EMPLOYEE
    Posted Mar 15, 2019 01:01 PM

    Since the Fortigate is managing your FortiSwitch, do you have a security profile that is authenticating users/devices on the switch ports where the IAPs are connected?

     

    The management model (at least in FortiOS 5.6, I haven't personally tried 6.0) hides a good bit of information between the FortiGate and FortiSwitch. Since your reseller also mentioned the user visibility because the IAP is bridging locally rather than tunneling to a controller, that may be playing a role in the roaming problems from switch to switch.



  • 5.  RE: IAP L2 Roaming issue on Fortinet Network

    Posted Mar 15, 2019 02:39 PM

    Hi all,

     

    Thanks for the replies.

    Configuration regarding VLANs seems fine, and all the Clients VLANs, and also the IAPs VLANs are tagged in the trunks.

     

    Charlie, could you be more specific when you say "security profile"? Do you mean 802.1X?

     

    Br,



  • 6.  RE: IAP L2 Roaming issue on Fortinet Network

    EMPLOYEE
    Posted Mar 16, 2019 01:25 PM
    Correct. The switchport could be configured to do 802.1X or Mac-auth. It does not sound like 802.1X is in place because users can roam across APs on a single switch.

    Since the switches are managed by FortiGate, do all switch ports show the same port configuration on the Gate? Taking a step back, what are the expected VLAN(s) that should be in use? The Instant AP will have one VLAN used for management, are wireless users also dropped into this VLAN, or are they tagged into different VLAN(s)?

    The FortiGate should handle the plumbing for making sure that user VLANs are present on any access switch where they are needed, but it’s possible either that’s not happening or there’s a config problem. Do you have a topology map that shows how the fortiswitches are connected back to the FortiGate?


  • 7.  RE: IAP L2 Roaming issue on Fortinet Network

    Posted Jul 22, 2021 11:34 AM
    Did you find a resolution here? Same exact issue here. Clients can connect to any AP but if they move between specific APs that are plugged into different switches the connections don't work for about 5 minutes and then they work fine again until they move to specific APs. It isn't a roaming issue because they can connect to the AP, shut down the device, move to another AP, power up, and it fails for about 5 minutes.

    ------------------------------
    Sean Herman
    ------------------------------

    Original Message


  • 8.  RE: IAP L2 Roaming issue on Fortinet Network

    Posted Jul 22, 2021 05:31 PM

    This was caused by a software switch on the FortiGate not updating ARP tables until the old entry expired and had nothing to do with Aruba instant or HPE/Aruba switches in our instance, FWIW. The trick was to move to a hardware switch on the FortiGate.




    Original Message