Technical Tip: When FortiAP has 'Run' state with primary FortiGate but with the secondary FortiGate, the state is 'image' state or 'dtls_setup'

pprince · ‎11-12-2024

Description

This article describes how to troubleshoot the issue when FortiAP has a 'Run' state with primary FortiGate but with secondary FortiGate, the state is 'image' state or 'dtls_setup.

Login to the FortiAP CLI :

Output of command:

cw_diag -c ha

ACS-0: 192.168.14.1:5246 192.168.14.1:5247 RUN(1136239) 15 HA M 5248 FG100FTK2001xxxx 1136238 fw1
ACS-1: 192.168.14.1:5248 192.168.14.1:5249 DTLS_SETUP(24)1136265 HA S 5248 FG100FTK2001xxxx 26 fw2

Scope

FortiAP.

Solution

In the HA cluster FortiAP should have 2 FSM states: Run for Primary FortiGate and Run_Standby for secondary FortiGate.
If the FortiAP state is stuck in state 'image' state or 'dtls_setup' with secondary FortiGate then this is due to the 5246 ECHO_REQ having ECHO_RESP, but 5248 not having the ECHO_RESP from the other cluster.

Note:

5248 is the capwap port for hitless HA, and 5246 is for the FortiAP-FortiGate capwap packet.

Do not keep any FortiAP image on the FortiGate flash, delete the FortiAP image from both the FortiGate CLI:

exe wire delete-wtp-image all

Refer to the below document:

FortiAP_FIRMWARE_delete.

Expected log put:

Login to the FortiAP CLI.

Output of command:

cw_diag -c ha:

ACS-0: 10.147.24.1:5246 10.147.24.1:5247 RUN(39735) 13 HA M 5248 FG6H0ETB20902xxx 39734
ACS-1: 10.147.24.1:5248 10.147.24.1:5249 RUN_STANDBY(39732) 13 HA S 5248 FG6H0ETB20902xxx 39732

Technical Tip: When FortiAP has 'Run' state with primary FortiGate but with the secondary FortiGate, the state is 'image' state or 'dtls_setup'

You are leaving our website