Showing results for 
Search instead for 
Did you mean: 

R700 APs (previously connected) on remote subnet disconnected from ZD

New Contributor II
R700 APs on remote subnets show disconnected, although they are pingable by the ZD, have the correct ZD address (discovered by DNS name), and can ping and traceroute the ZD by both IP and DNS name.

I don't really understand why they are not connecting when all connectivity and address settings seem to be fine. In this particular instance with have 3 APs on a remote subnet and two of them show disconnected while one of them still remained connected. All have the exact same settings and are part of the same AP group.

Valued Contributor II

well if it is MTU related then as you mentioned that other single AP which is working ok should also NOT connect which is on the same physical site as other disconnected AP's and use the same route and firewall.

Symptom for MTU related issue is that AP will connect and will get disconnected right after provisioning, Same cycle will repeat. I assume that in your case AP's are just disconnected. Is this is what is happening in your case?

Esteemed Contributor II
I'm a TSE and got a similar ticket which we got to the bottom of. Version
firmware has a DNS recursion bit bug (ER-1672), that may prevent new APs from
discovering the Zonedirector solely by DNS. The bug fix will be incorporated as
soon as possible.

The workaround in the meantime, is to employ DHCP option 43 with your ZD's IP
address translated by a tool like this link:

Otherwise, you should also be able to SSH into the remote APs and issue the
'set director ip a.b.c.d' command with your ZD's IP address, then 'reboot' and
the APs should find their way to your ZoneDirector.

If DNS only discovery isn't the problem, then back to the VPN/MTU ideas.

New Contributor II
I know what the problem most likely is as we have experienced this exact issue multiple times. When your site-to-site tunnel blips because of a connection issue, the traffic from the AP to the ZoneDirector then automatically tries to route out your WAN connection instead of going across the tunnel connection. Once that session is active, even after the tunnel comes back up it will continue to try to send that traffic out the WAN interface instead of pushing it back through the tunnel. If you do a diag sys session clear on your Fortigate, it will clear that session and it will send it back out the active tunnel.

How to make diag_sys in fortigate?