1. Pushing FortiAP Image from FortiManager and the WIFI are not able to connect after an upgrade

For Example:

Pushing the image from v7.0.1 to v7.0.4 For FortiAPU431F from the FortiManager, the Image was not able to download properly.

2. Validate by using ‘wcfg’ and check if the FortiAP is stuck in RUN + Image Downloading.

Note:

The FortiAP does not receive the image directly from the FortiManager. In other words, the FortiManager pushes the image to the FortiGate, and the FortiAP retrieves the image when it reconnects to the controller/FortiGate.

WTP Configuration

    name                 : FortiAP

    profile              : Profile-U431F

    loc                  : N/A

    region map           :

    pos-x                : 0

    pos-y                : 0

    ap mode              : thin AP

    platform mode        : single-5G

    led mode             : normal

    fmvap                : FG100FTKxxxxxx,(635ea17c,0c776a3c,1),1800,0

    led schedules        : SMTWTFS 00:00->00:00,

    WAN port cnt         : 2

    lan1                 : carrier=1, speed=1000, duplex=full

    lan2                 : carrier=0, speed=0, duplex=

    energy-efficient-eth : disable

    extension info enable: enable

    allowaccess          : ssh snmp

    lldp enable          : enable

    wtp-report-index     : 3

    ctl-msg-offload      : ac=01ff/wtp=03ff/oper=01ff ac_general=1

    skip_cwol            : 1

    radio cnt            : 3

    sta info             : 0/0

    echo-interval        : 30

    keep-alive-interval  : 30

    max-retransmit       : 3

    dc-dead-interval     : 120

    discovery-interval   : 5

    report-interval      : 30

    sta-stats-interval   : 1

    vap-stats-interval   : 15

    radio-stats-interval : 15

    sta-cap-interval     : 30

    idle-timeout         : 300

    fpresence-interval   : 3600, 30

    statistics-interval  : 120

    fsm-state            : RUN + Image Downloading 39953408/65269729 395

    wtp-ip-addr          : 10.11.x.x:5246 - 10.11.x.x:46066

    ac-ip-addr           : 10.11.x.x:5246 - 10.11.x.x:5247        DHCP

    base-mac             : d4:76:a0:2b:57:10

4. Value '65269729' is total bytes and after it completes the download then the image keeps downloading for in few seconds and it will loop
5. There is no image stored on the primary FortiGate controller by validating the command ‘execute wireless-controller list-wtp-image’ and also not pushing any image from FortiManager.
6. Check if disabling the below option fixes the issue on FortiGate:

config system global
    set image-download disable
end

7. By enabling this option image-download and the FortiAP started to request the image download from the FortiGate:

00261.755 AC1,0 msgType : 15 IMAGE_DATA_REQ 10.11.23.33:5248
00261.755 AC1,0 seqNum : 17
00261.755 AC1,0 msgElemLen : 36
00261.755 AC1,0 flags : 0
00261.756 AC1,0 ==========================cwWtpFsmThread 6 2=========================
00261.756 AC1,0 cwWtpFsmThread: failed to receive from fsm socket 6
00261.757 AC0,1 ==========================cwWtpRxUdpCtrlMsg 9 1=========================
00261.757 AC1,0 cwWtpRxUdpCtrlMsg: 113/140985872 * <== 10.11.23.33/5248
00261.757 AC1,0 cwWtpRxUdpCtrlMsg: 1105/140986977 * <== 10.11.23.33/5248
00261.757 AC1,0 ==========================cwWtpRxUdpCtrlMsg 9 2=========================
00261.757 AC1,0 cwWtpDtlsThread: 48 <== sock 26 ssl_err 0
00261.757 AC1,0 CAPWAP Hdr: P/T=0/0 len=2 RID=0 WBID=1 T=0 F=0 L=0 W=0 M=0 K=0 resv=0 frag=0/0 resv=0
00261.757 AC1,0 CAPWAP Control Header Dump:
00261.757 AC1,0 msgType : 16 IMAGE_DATA_RESP 10.11.23.33:5248
00261.757 AC1,0 seqNum : 17
00261.758 AC1,0 msgElemLen : 35

8. To Fix this issue, validate if the image is stored on the FortiGate secondary Firewall by using the below command:

execute wireless-controller delete-wtp-image all

9. Enable the option image-download and validate if the FortiAP is not stuck in image+download and users can connect to the FortiAP without an issue.