Skip to Content

How to fix Meraki AP, Hosts disconnection not being reflected

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes that in Meraki AP integration, FortiNAC sometimes may not update the Host state to offline when it receives the Syslog message ‘events type=disassociation’.

Since FortiNAC is not able to read live sessions from Meraki APs (L2 polling not supported by the APs), it will learn the Host session status through live messages coming as Syslog.

Scope

FortiNAC and Meraki AP integration.

Solution

There is a protection mechanism ‘connect time delay’ that handles the race conditions between RADIUS and Syslog messages. If FortiNAC receives a Syslog disassociation message from the Meraki AP within a certain amount of time (30 seconds) after the RADIUS authentication is completed, the Syslog message will be ignored.

In normal conditions, the hosts will not disconnect so quickly after being authenticated and connected to the network. This mechanism will help eliminate false disconnections in cases when the syslog gets delayed.

There is an attribute called ‘ConnectTimeDelay’ that can be set to a lower value on the device/AP that can override the default delay of 30 seconds.

It can be set to 10000 (10secs) using the following comman

execute enter-shell
$ device -ip <IP of the AP> -setAttr -name ConnectTimeDelay -value 10000

Helpful debugs:

diagnose debug plugin enable SyslogServer
diagnose debug plugin enable BridgeManager

Logs:

yams.SyslogServer FINER :: 2024-01-01 10:00:10:300 :: #132 :: SyslogServer received: 192.5.10.5 <134>1 1715682219.265391587 B1_APK201 events type=disassociation radio='0' vap='3' client_mac='A0:B0:C0:22:33:44' band='2' ...
yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: BridgeManager.disconnectLocalClient called for client A0:B0:C0:22:33:44 290
yams.BridgeManager FINER :: 2024-01-01 10:00:10:301 :: #361 :: disconnectClient() client = Client4 port = Component:

yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager.makeClientLost skipping immature disconnect for A0:B0:C0:22:33:44
yams.BridgeManager FINER :: 2024-01-01 10:00:10:302 :: #361 :: updateRadiusManagedAttr() 907
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: InterfaceEntry has attached clients
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser logging off A0:B0:C0:22:33:44 290
yams.BridgeManager INFO :: 2024-01-01 10:00:10:302 :: #361 :: BridgeManager logoffUser skipping A0:B0:C0:22:33:44 290

As seen from the logs, FortiNAC chooses to not disconnect the host treating it as an ‘immature disconnect’.