Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
vpatil
Staff
Staff

Created on ‎12-16-2024 05:04 AM Edited on ‎12-01-2025 01:32 AM By Staff

Article Id 364982

Troubleshooting Tip: FortiAP exhibits AP-leave/join behavior on the FortiGate

Description This article describes the steps to diagnose and debug the FortiAP AP-leave/join behavior on the FortiGate.
Scope FortiGate v7.4 and FortiAP v7.4.
Solution
  1. FortiAP AP-leave/join behavior implies the CAPWAP connection between the FortiAP and the FortiGate is resetting from time to time, causing the FortiAP join-time change (recent) as shown below:

join-time.png

 

  1. The FortiGate WiFi or Wireless Event logs would show the following ap-leave/join events also the reason:

     

    date=2024-06-26 time=13:29:24 eventtime=1719397764527603041 tz="+0300" logid="010404XXX" type="event" subtype="wireless" level="notice" vd="root" logdesc="Physical AP join" sn="FP433FTF2300XXXX" ap="Demo-AP" profile="Test-AP-profile" ip=10.30.X.X meshmode="mesh root ap" snmeshparent="N/A" action="ap-join" reason="N/A" msg="AP Demo-AP joined."
    date=2024-06-26 time=13:28:02 eventtime=1719397682548345461 tz="+0300" logid="010404XXX" type="event" subtype="wireless" level="notice" vd="root" logdesc="Physical AP leave" sn="FP433FTF2300XXXX" ap="Demo-AP" profile="Test-AP-profile" ip=10.30.X.X meshmode="mesh root ap" snmeshparent="N/A" action="ap-leave" reason="AC daemon reset timer expired" msg="AP Demo-AP left."

     

  2. FortiAP exhibits ap-leave/join behavior due to the following potential reasons:

     

    1. FortiAP kernel panic or wtpd daemon crash.

    2. FortiAP and FortiGate Network connectivity issues due to latency, packet loss, bad cable, or faulty uplink switch port issues.

    3. FortiAP PoE Low Power mode or random PoE switch port power loss issues.

    4. FortiAP uplink Switch STP Network loop.

    5. FortiAP Profile is configured with 'DTLS Policy: ipsec-vpn' instead of "DTLS Policy: clear-text.

  3. To verify if the FortiAP or FortiGate has any relevant crash on the current firmware version:

 

FortiAP:

 

kp

crash

 

Alternate helpful FortiAP commands:

 

cw_diag kernel-panic

diag_debug_crashlog read

presult

fap-tech

 

FortiGate:

 

diagnose debug crashlog read 

 

  1. To verify if there are network connectivity issues between the FortiAP and the FortiGate, swap the FortiAP with a wired PC on the same switch port, run continuous pings towards the default gateway and the FortiGate AC IP address, and monitor them. The 'presult' output from the FortiAP can also confirm whether the FortiAP has any packet-loss towards the AC (FortiGate IP address).

     

To verify whether FortiAP's current PoE power mode is full or high, use the following command:

 

cw_diag power 


Power Detection Data: dc=0 ps1=0 af1=0 at1=0 psv1=0 bt1=0 ps2=1 af2=0 at2=1 psv2=0 bt2=0
Budget lldp 0,0 poe 0,25 (dc=99 af=13 at=25 psv=60 bt=50 full=24.9 low=24.9)

Current Power Mode: full (2) Oper Power Mode: full (2)

Radio 1: MaxTxpower 15 TxChainMask 0x0f RxChainMask 0x0f
Radio 2: MaxTxpower 22 TxChainMask 0xf0 RxChainMask 0xf0
Radio 3: MaxTxpower 31 TxChainMask 0x01 RxChainMask 0x01
USB: enabled

full:usb,txpower full,chain 4; low:txpower 17,chain 2

 

Note:

Refer to the FortiAP datasheet to confirm whether the FortiAP requires PoE, PoE+, or x2 802.3at PoE (Dual PoE current sharing) or 1 802.3bt PoE FortiGate, FortiEdge Cloud, or SASE-managed access points

 

  1.  Gather FortiGate cw_acd (CAPWAP AC daemon) and FortiAP cwWtpd daemon logs in the problem state:

FortiGate (in Global VDOM):

diagnose wireless-controller wlac debug cwctl 4

diagnose debug application cw_acd 0x7fff

diagnose debug console timestamp en

diagnose debug enable

After capturing the issue, disable the logs after 5 minutes:

diagnose debug disable         

diagnose debug reset 

diagnose wireless-controller wlac debug cwctl 0

FortiAP:

cfg -a ADMIN_TIMEOUT=0

cfg –c

fap-tech

cw_diag debug ha 5

cw_diag debug cwctl 4

cw_diag debug cfg 3

cw_debug on

don

ton

After 5-10 mins, disable the logs:

doff

cw_diag debug ha 0

cw_diag debug cwctl 0

cw_diag debug cfg 0

toff

  1. If the FortiAP does not have any crash records, then the FortiAP serial console logs are required in the problem state to see if there are hardware or crash trace errors on the console.

     

  2. On the FortiGate, verify if the following timers are default. Any non-default timers can also affect the FortiAP connection stability:

     

    config wireless-controller global
        set max-retransmit 3 // Default 3
    end

     

    config wireless-controller timers
        set echo-interval 30 // Default 30
    end

     

  3. Ensure the FortiAP is on the latest FortiAP v7.4.6 or v7.6.2 GA firmware and above versions because the newer versions contain multiple kernel crash-related fixes: 

Resolved issues - FortiAP 7.4.6

Resolved issues - FortiAP 7.6.2
3239
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.