issue:
when doing Microsoft Autopilot Enrollment task sequence, it either shows error "Oops,you've lost internet connect" though I can at the same time ping the internet sites, or takes a very long time (like, 30 minutes or more ) to finish the autopilot enrollment task sequence.
if you click on retry, 99% chance it will show the error again. If you are lucky to get through it, it takes long time to finish the task sequence, or sometimes it just throw some other error during the task sequences.
topology
- 2 cisco 6500 series as VSS.
- 2 Fortigate FW as cluster, working in primary and secondary mode. FW1 is the primary, and basically FW2 will not bear any workload when FW1, the primary role, is working.
- all access switch are connected with vss via port-channel
- MPLS router is for WAN traffic to other branches. Autopilot is under Internet so there is Internet Router to ISP.
what we did:
1, asked Fortigate team to assign a physical port, port 1, from FW1 and set up DHCP under port 1, then connect a laptop or desktop for Microsoft Autopilot Enrollment to port 1, and it works very quickly, like, within 10 minutes. So, the network connection from FW to MS is OK.
2, created a vlan type interface, say, vlan 404, on FW1, then trunk 404 to cisco VSS, then to Access switch. And put some interfaces on Access switch to access VLAN 404 (subnet is 10.80.4.0/24). Then connect laptops for Autopilot Enrollment to the access swithports, and we got the error "Oops,you've lost internet connect" when it is detecting the Internet connection but, if I call the command window using Fn + F10 when the error occurs, I can ping all the same sites that I tried when connecting laptop to port 1 on FW.
I noticed https://learn.microsoft.com/en-us/autopilot/networking-requirements mentioned how Autopilot detects Internet connection, and yes the laptop is able to ping msftncsi.com or msftconnecttest.com when the error shows up.
why we put the gateway of VLAN 404 to FW, and ustilize the DHCP from FW, not like the other VLANs? because we want to bypass as much LAN infra as much as we can. Gateway and DHCP for VLAN 404 from FW works very well. And there is very little configuration about VLAN 404 on core VSS and access switch, they are layer 2 transparent .
FW policy
I created a policy to allow all the traffic coming from VLAN 404 to ALL, applied no security profile on the traffic, and I do see the traffic hit the policy as expected.
And, the traffic from physical port 1 on FW is within the same firewall policy as traffic from VLAN 404.
Workaround
It is critical to deploy laptops so we have another dedicated ISP router (like home router) which is totally isolated from our LAN infra, which is working as a workaround. We cannot stay in data center to use the port 1 on FW for the whole deployment .But we do need to investigate why errors occur. Can someone please give us any tips, THANKS A LOT!
since the configuration file is too big, so I did not attach any configuration, if it is needed for troubleshooting, let me know I will try to attach it here.
Thanks Georg,
yes Fortigate provide NTP options when set up DHCP. But I've already allow ALL service destined for internet in FW policy.
As mentioned in the post, lapotops connected to the physical port 1 on FW works very well.
I compared the NTP settings between the VLAN type interface and physical port 1, they are the same.
and client from VLAN 404 can access the DNS servers listed below, I've already created the policy to allow the DNS traffic.
