Topology:

FG1---Internet (IPSec VPN)---FG2---FAP

• FortiAP was connected directly to FG1 and it was working fine. They configured the AC discovery to static and configured the AC IP (10.7.0.1).
• When moving the FortiAP to FG2, it cannot register to FG1.
• Entered the FortiAP through SSH and ran wcfg. Found the FortiAP fails to register and gets stuck in DTLS_SETUP.
• Executed debugs on FortiAP with ton and don.
• Executed debugs on FortiAP with commands below:

diagnose wireless-controller wlac wtp_filter <FAP_SN> 0-x.x.x.x:5246 2 <----- x.x.x.x = FortiAP IP.
diagnose debug console timestamp enable
diagnose debug application cw_acd 0x7ff
diagnose debug enable

Executed sniffer packet on both FortiGates and at the same time with the command:

diagnose sniffer packet any "host x.x.x.x" 6 0 l <----- x.x.x.x = FortiAP IP.

DTLS_SETUP cannot be completed on FortiGate, therefore CAPWAP tunnel cannot be established on FAP-FG1.

fsm-state would show the FortiAP starting the discovery process over and over again after DTLS_SETUP times out.

FortiAP-221E # wcfg
WTP Configuration
name : FortiAP-221E
loc : N/A
region map :
pos-x :
pos-y :
ap mode : thin AP
fmvap : ,(00000000,00000000,0),0,0
atf mode : disabled
dual-5g mode : disabled
led mode : normal
led schedules :
WAN port cnt : 1
lan1 : carrier=1, speed=1000, duplex=full
energy-efficient-eth : unknown
extension info enable: disable
allowaccess :
lldp enable : disable
wtp-report-index : 0
ctl-msg-offload : ac=0000/wtp=03ff/oper=0000 ac_general=0
radio cnt : 2
sta info : 0/0
echo-interval : 30
keep-alive-interval : 30
max-retransmit : 3
dc-dead-interval : 120
discovery-interval : 5
report-interval : 30
sta-stats-interval : 1
vap-stats-interval : 15
radio-stats-interval : 15
sta-cap-interval : 30
idle-timeout : 300
fpresence-interval : 3600, 30
statistics-interval : 120
fsm-state : DTLS_SETUP 9 <----- FortiAP would get stuck here and start all over again the DISCOVERY process.
wtp-ip-addr : x.x.x.101:5246 - x.x.x.101:52765
ac-ip-addr : y.y.y.y:5246 - y.y.y.1:5247 STATIC
base-mac : aa:bb:cc:dd:ee:ff
bulk data seq num : -1
ap-mgmt-vlanid : 0
ac-cert-version : 2
cert-version-oper : 0
data-chan-sec-cfg : clear-text ipsec
data-chan-sec-oper : clear-text
cipher(ctrl) : N/A
ip-frag-prevent : TCP_MSS (ul_mtu=1500 dl_mtu=1500)
ekahau : disabled
aeroscout : disabled
data-ethernet-II : disabled
fortipresence : disabled, ble enabled, rogue disabled, unassoc_sta disabled, freq 0
server 0.0.0.0:0 secret csum [0x0] project []
LAN mode : disabled
LAN port cnt : 0
encrypt_key[0-15] : 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
encrypt_key[16-31] : 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
syslog conf : disabled ser/.

After decreasing the fragmentation of packets in CAPWAP tunnels to 576 (default value is 1500) and making sure the IPSec interfaces had Security Fabric Connection enabled, the issue was resolved.

config wireless-controller wtp
    edit <FAP_SN>
        set override-ip-fragment enable
        set ip-fragment-preventing tcp-mss-adjust icmp-unreachable
        set tun-mtu-uplink 576
        set tun-mtu-downlink 576
    next
end

Note:

This adjustment can also be done to the WTP-profile.

This information can be retrieved on the FortiAP side by executing the command wcfg:

221E-LAB-laltuzar # wcfg
WTP Configuration
name : 221E-LAB-laltuzar
...
ip-frag-prevent : TCP_MSS (ul_mtu=576 dl_mtu=576) <-----

Further information regarding IP fragmentation of packets in CAPWAP tunnels can be found here:

IP fragmentation of packets in CAPWAP tunnels