In a FortiGate in HA acting as a wireless controller, each AP establishes a CAPWAP tunnel to the primary FortiGate and another CAPWAP tunnel to the secondary FortiGate with the intention that if there is a failover on the FortiGate, the FortiAPs are immediately online on the secondary AP.

This can be seen with the next FortiAP command:

cw_diag -c ha
================================================================================

wcha_mode: FGCP @236126

ACS-0: 192.168.254.99:5246 192.168.254.99:5247 RUN(218542) 53 HA M 5248 FGT60ETK20024394 218542 FGT_Primario-1: 192.168.254.99: <- FortiGate secondary.
5248 192.168.254.99:5249 RUN_STANDBY(218537) 53 HA S 5248 FGT60ETK20024873 218538 FGT_Secundario <- FortiGate secondary.

================================================================================

This feature is described in this document.

FortiAP E series do not have this feature, so when there is an HA event, the CAPWAP tunnel will remain offline with the secondary FortiGate, until the AP renegotiates the CAPWAP tunnel with the new FortiGate.

In the 'cw_diag -c ha' command output, only one CAPWAP tunnel is established for FortiAP E series:

cw_diag -c ha

================================================================================

Current AC: 192.168.254.99:5246 pri 1 <- Only one CAPWAP tunnel.

WC fast failover AC mode : 0
WC fast failover peer cnt: 0

Discovered AC list:
ip=192.168.254.99 allow=1 pri=1 dtls=3 wtp=144/4096 sta=62/65535

================================================================================