AP's randomly every 5-15 days go not trusted

WG_M370
WSM 12.6.2
FSM 12.5.4

3 - AP200 fw 1.2.9.16
3 - AP120 fw 8.8.3-12
1 - AP125 fw 10.0.0-124.1
5 - AP325 fw 8.5.0-658
1 - AP325 fw 10.0.0-124.1

Last year we replaced 2 XTM 515's for 1 M370 while adding 6 more AP's to our network.
Originally after the upgrade I was having problems seeing connected clients and the SSIDs in the GWC.

https://community.watchguard.com/watchguard-community/discussion/1364/clients-not-showing-in-my-gateway-wireless-controller#latest

I down graded some of the AP firmware to the point I was able to see the SSIDs and the connected clients.
After awhile I noticed the AP's were randomly going "not trusted". All I had to do was mark them trusted again and everything was fine but it keeps happening approximately every 5-15 days.

It's not always the same AP or AP model that goes ' not trusted', it's entirely random from time to time.
Since keeping track (Jan.2021) I have noticed the AP120's have not acted up and neither has one of the AP325's which seems odd.

At the end of July I upgraded the M370 to FSW 12.5.4 and I also upgraded two of the AP's; the AP125 and 1 - AP325 to the latest fw 10.0.0-124.1 as a test to see if that would solve the problem. Neither has fixed / solved the problem.
Most times it's the AP200's that go ' not trusted' but the AP325's do it quite often also.
The 3 - AP120's and 1 - AP325 still work flawlessly without going 'not trusted'.

Has anyone come up with a reason or fix for this?

In another 4 months after another major remodel we'll be adding several more AP's so I'm wondering if this will be fixed.

Comments

  • While trying to fix this issue I upgraded two of my AP325's to a newer FW.
    I updated one from 8.5.0-658 to 8.8.3-12 without any problems.

    I went to update another AP325 from 8.5.0-658 to 8.8.3-112 and it won't update or I should say it appears to update but it shows "unreachable".

    I removed the AP and tried to reinstall it but GWC wouldn't find it. I tried power cycling it but that didn't do anything for it.
    I finally did a hard reset at the AP, the GWC finds it and I can pair it, label it, etc.. but in the Fireware GWC it still winds up "unreachable".

    In the FW GWC the AP goes to Unreachable > Authenticating > Discovered > Online > Updating Configuration > Online > Unreachable.

    I upgraded my M370 firewall FSM from ver 12.5.4 to 12.6.2 u3 and tried it all again. Removed the AP, reset it at the AP, reinstalled it and it still comes up as "unreachable". The newer FSM does show it's at the 8.8.3-12 FW level, so it appears to have taken the upgrade but why does it show "unreachable"?

    I have 3 more AP325's to update but I hesitate to do so at this point. I can't even update this one past 8.8.3-12 with it being unreachable.

    Any ideas or suggestions?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I'd suggest opening a case to see if we can determine why the APs are doing this. There's not really enough information here to determine why the APs aren't reachable, and the upgrade behavior suggests that we might actually be loosing connection to them intermittently.

    -James Carson
    WatchGuard Customer Support

  • James_Carson; thank you for the response. That was probably going to be my next step besides trying different FW versions to see If I could narrow it down.
    But I'm also thinking I could be chasing my tail by doing so.

    I'll post what I find out.

  • @James_Carson
    I opened a case for these 'not trusted' #01576944

  • @bford - By chance are any of the AP's set to DHCP versus static?

  • @DStone
    Yes, the AP's that were going "not trusted" were setup as DHCP.
    Support suggested I change those AP's to static IP's or with a reserved IP, which I did. It's been 11 days now since I have made that change and non of them have gone "not trusted".

    A simple config change which I didn't catch to fix the problem.

  • Glad you got it sorted. I ran into that issue a while back, and was curious if your issue might be the same.

  • Mine (AP125s) are set with reserved DHCP and still have the odd loss of trust, but it is more like every three months than days. It is more likely to happen if there has been a site power outage - these things are not currently protected by UPS.

    Adrian from Australia

  • Funny, I have been noticing the exact same thing I kinda poo-pooed it. I simply turned off the trust store at our main facility. Sure, someone will say that it is a security flaw - but, I kinda doubt someone on staff is going to walk in with a WG AP and plug it in...then be able to configure it to our VLAN's....But, I am going to have to peek more at this.

    More and more, we go to other vendors for WiFi.

Sign In to comment.