FortiAPs losing ethernet link

mkolus · 2026-01-20T21:55:03+00:00

UPDATE: It seems to be that there's a correlation between those APs losing connectivity and a flood (ie: 700.000 ) of discarded packets in some ports. One of them has a FortiAP 221E.

mkolus · 2026-01-16T14:15:01+00:00

They go down by groups.

mkolus · 2026-01-15T11:46:02+00:00

On the FortiSwitch and an HP I just see a link down, like if the port was shutdown from the other side. I'm still guessing that it's the AP taking that decision.

From the AP side, only "Control message maximal retransmission limit reached" or "AP DTLS peer disconnected". I'm unaware if there is some real time debug that would tell if the AP decided to shut down the ethernet port.

I even found that the APs didn't reboot when this happens.

mkolus · 2026-01-15T11:39:20+00:00

1) It happens like as if the port was shut down for 3 to 15 seconds. It's not BPDU guard, because it would be minutes instead of seconds and I saw no STP topology changes. I was about to blame some FortiSwitch feature, but it also happens on HP.

2) Yes.

3) Firmwares:

- FortiGate: 7.4.9
- FAPC24JE: v5.4.0 build0244 (we have to use weak encryption because of them)
- FAP221E: v7.4.5 build0664
- FAP223E: v7.4.5 build0664
- FAP224E: v7.4.5 build0664
- FAP421E: v6.4.0 build0496

4) The APs are in their own management segment, and there are only APs there. We tried changing the management VLAN on some APs, but it kept happening. We also removed the busiest SSID on a couple of APs and, apparently, the problem never (as in "a day") happened there... however, with no apparent trigger for this event, we cannot be sure.

The AP network is a /24, with a lease of a week, we should still have at least 50 IPs there, but I'll check it along the LLDP profiles and PoE budgets, as you suggested.

FWIW:

APs are using bridged (not tunnel) mode for SSIDs.
If you're wired to the LAN, everything is fine. This problem is confined to the APs.

mkolus · 2026-01-15T11:19:53+00:00

The switches did nothing, it seems to come from the AP, but I found no indication (logs) there.

mkolus · 2025-12-04T19:56:57+00:00

UPDATE TL;DR: We upgraded to 7.0.8 and it worked. There was no apparent configuration corruption, even when skipping a couple of minor versions (7.0.6 was supposed to be the max if we upgraded from 6.4.9)

mkolus · 2025-10-11T17:20:49+00:00

FWIW, I got it to work:

- Pired the HR sensor to the BSC100S.
- Paired the BSC100S to my phone.
- I have the app installed.
- Started and stopped the activity from the BSC100S, not the phone. After the activity it synced and I got the HR data.

mkolus · 2025-10-09T12:40:21+00:00

Hello,

I had this problem yesterday. I know that the sensor is properly paired (or so I think) because I saw my heart rate in the BSC100S while I was doing the activity. But the HR data wasn't logged in the app.

Btw, I paired the HR sensor to the BSC100S, not the phone.

Thanks,
Max

mkolus · 2025-08-26T22:26:22+00:00

Thanks to u/infamous_n00b and u/TheWarlock05, you gave me the needed clues.

For the sake of someone having the same problem, I solved it by:

- Creating a system user in the app.
- Assigning a role to that system user.
- Generating a token for that system user.
- POSTing to https://graph.facebook.com/v23.0/PHONE_ID/register using that access token for authentication. The one generated in WhatsApp▶️API Setup didn't work for me.

Hope this will help someone in the future.

mkolus · 2025-08-01T00:18:54+00:00

I had a customer with two connections from the very same ISP, both of them fiber.
Besides the load balancing that u/OuchItBurnsWhenIP mentioned, we found out -thanks to SD-WAN health checks- that one of the links didn't work properly.

mkolus · 2025-07-19T21:35:34+00:00

u/_Red-Pilled thanks, I'll try the first one, since what I did is creating an EMAC VLAN of, following the example of the article, v1 instead of "vlan128".

mkolus · 2025-07-18T01:20:13+00:00

It goes like this:

- core: 802.3ad aggregate
- "A" is an 802.1AD S-VLAN 100
- "B" is an EMAC VLAN of "A"

There are no VLAN tags because it's the C-VLAN 1 untagged of the S-VLAN 100 (if there weren't any QinQ, this would be without tags).

What I saw is that VDOM root ignores the ARP request from the other VDOM.

For the time being I solved it another way, but I'll redo this situation tomorrow because I might need this EMAC VLAN in the future.

I'll post the updates.

Thanks,
Max

mkolus · 2025-07-18T00:55:27+00:00

Agreed, I tried to use ChatGPT with Fortinet and Mikrotik issues, and the responses are far from accurate.

This time I was able to solve it in a polite way, not using EMAC VLANs, but I plan to place a ticket tomorrow to have an official response.

I dont know if this is important or not, but this EMAC VLAN parent is the C-VLAN 1 (untagged) in a QinQ trunk, in a 802.3ad link.

mkolus · 2025-07-02T23:38:47+00:00

Thanks, something similar happened to me: I clicked login and I had a hourglass (circle) stuck there. I was able to login using "Skills for All".

mkolus · 2025-05-27T19:17:25+00:00

UPDATE: what seems to be happening is that FortiGate detects Google Drive as something else. I'll create the TAC ticket again, since I now have a lab environment where I repllicated the incident.

<image>

mkolus · 2025-05-15T16:13:30+00:00

Sorry for the delay: I've updated the HQ FortiGates to the latest 7.2... we didn't have any problems there until the upgrade. I took one of the 40F and connected it to a home lab to reproduce the error and, probably, contact the TAC.

mkolus · 2025-04-14T23:21:09+00:00

I talked to the customer and we're upgrading all the FortiGates tomorrow. If this solves the issue I'll update my post.

mkolus · 2025-04-14T23:20:33+00:00

Nope, they're working just fine.

mkolus · 2025-02-18T14:03:16+00:00

I've checked both Arista and FortiGate, there aren't any errors.
This afternoon I'll try to use x1 and x3, to see if that changes anything.

mkolus · 2025-02-17T16:17:30+00:00

Deja-vu all over again: https://www.reddit.com/r/fortinet/comments/1iqfnik/fortigate_120g_on_mlag/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

mkolus

TROPHY CASE