Table of Contents:

Introduction

Wireless Event logs in FortiGate and FortiAP

Common Event log errors related to config sync issues

Review crashlogs in FortiGate and FortiAP

Review AP configs in FortiGate

Review errors in FortiGate Wireless-Controller CLI

Review system resources utilization

• On the FortiGate
• On the FortiAP

CAPWAP packet sniffers

Additional CLI commands

FortiGate Wireless-Controller debugs

FortiAP debugs

SSID profile corruptions

Terminology

Related articles

Introduction.

This article describes scenarios where FortiAPs are showing online and connected to FortiGate, but AP-related configurations on FortiGate are not in sync with FortiAPs, and new config changes, like updates to SSID config from FortiGate, are failing to get installed/take effect on the FortiAPs. The first step is to ensure the FortiAP version is compatible with the FortiGate/FortiSwitch firmware versions and review the compatibility guide, especially during upgrades of any device in the network. If there was a recent upgrade of FortiGates/FortiSwitches, it might have become incompatible if FortiAP is running an older, incompatible version.

FortiAP and FortiGate 7.x compatibility matrix

FortiSwitch and FortiGate 7.x compatibility matrix

Wireless Event logs in FortiGate and FortiAP.

The WiFi event logs in the FortiGate provide useful information on any CAPWAP errors while the FortiGate's wireless controller is trying to manage the FortiAPs, like config sync after new config changes. In the FortiGate GUI, go to 'Log & Report' -> System Logs -> Wi-Fi Events as shown in the example below, and review any critical/warning logs indicating possible issues.

Common Event log errors related to config sync issues.

Here are some common event log errors related to FortiAP config sync issues and the possible reasons:

1. WLAN DEL error:

05-04-2025 21:02 0 ap ap-status ap-fail 80211 WLAN DEL error AP <FortiAP1> failed

05-04-2025 21:02 0 ap ap-status ap-fail 80211 WLAN ADD error AP <FortiAP1> failed

Indicates possible with capwap tunnel being unstable between FortiGate & FortiAP, review remaining logs around the time of these errors, and additionally enable debugs discussed later in the section to identify the cause of the issue.

2. Received unexpected discovery REQs:

05-04-2025 02:43 0 ap ap-status ap-fail Received unexpected DISCOVERY REQ, session tear down AP <FortiAP1> failed

Indicates that discovery requests are being received from the FortiAP even though there is already an active CAPWAP session with that AP. These discovery requests might cause the existing session to be torn down and re-created.

3. Control message retransmissions limit reached:

05-04-2025 02:43 0 ap ap-status ap-fail Control message maximal retransmission limit reached AP <FortiAP1> failed

Indicates that the CAPWAP packet exchanges are not stable and FortiGate is unable to maintain connectivity to FortiAP.

4. Echo REQ is missing:

FortiAP diagnostic logs from within FortiGate GUI under 'Managed FortiAPs' section.

Logs directly from FortiAP can be viewed from within the FortiGate by navigating to WiFi & Switch Controller ->Managed FortiAPs -> Select the FortiAP -> Diagnostics and Tools.

Review crashlogs in FortiGate and FortiAP.

In the FortiGate CLI, using the 'diagnose debug crashlog read', check for any crash log entries for 'application cw_acd' and entries like 'cw_acd previously crashed 1 times'. cw_acd is the wireless controller daemon in FortiGate, and crashes with this daemon could indicate FortiAP connectivity/config-sync issues. Open a ticket with Fortinet TAC with the crashlog output to investigate further.

Similarly, check for crashlog entries in FortiAP CLI using the command "diag_debug_crashlog read", and share with Fortinet TAC for further review.

Review AP configs in FortiGate.

If the event logs do not indicate an issue, as a next step, review the current SSID configs on FortiAP and check what is missing. Log in to FortiAP via SSH from FortiGate and use the command 'vcfg' or 'cw_diag -c vap-cfg' to review the SSID and FortiAP profile configs, compare it with the corresponding configs in FortiGate, and compare to see if there is any difference between the two.

FortiAP# vcfg 

Or:

FortiAP-431F # cw_diag -c vap-cfg

-------------------------------VAP Configuration 1----------------------------

Radio Id 0 WLAN Id 2 Corp-SSID ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)

vlanid=0, intf=wlan02, vap=0x1bdb0a8, bssid=d4:76:a0:db:ea:0a
11ax high-efficiency=enabled target-wake-time=enabled bss-color=0 partial=enabled
mesh backhaul=disabled
local_auth=disabled standalone=disabled nat_mode=disabled
local_bridging=disabled split_tunnel=disabled
intra_ssid_priv=disabled
mcast_enhance=disabled igmp_snooping=disabled
mac_auth=disabled fail_through_mode=disabled sta_info=0/0
mac=local, tunnel=8023, cap=8ce0, qos=disabled
prob_resp_suppress=disabled
rx sop=disabled
sticky client remove=disabled
mu mimo=enabled ldpc_config=rxtx
dhcp_option43_insertion=enabled dhcp_option82_insertion=disabled
access_control_list=disabled
bc_suppression=dhcp dhcp-ucast arp
auth=WPA2, PSK, AES WPA keyIdx=1, keyLen=16, keyStatus=1, gTsc=000000000000
key=f1f1d9c4 cf728f88 db3f976f 74767213
pmf=disable
okc=disabled, dynamic_vlan=disabled, extern_roaming=disabled
voice_ent(802.11kv)=enabled, fast_bss_trans(802.11r)=disabled mbo=disabled
airfairness weight: 20%
schedules=SMTWTFS 00:00->00:00,
ratelimit(Kbps): ul=0 dl=0 ul_user=0 dl_user=0 burst=disabled
rates control configuration:

11ac_ss12: mcs0/1 mcs1/1 mcs2/1 mcs3/1 mcs4/1 mcs5/1 mcs6/1 mcs7/1 mcs8/1 mcs9/1 mcs10/1 mcs11/1 mcs0/2 mcs1/2 mcs2/2 mcs3/2 mcs4/2 mcs5/2 mcs6/2 mcs7/2 mcs8/2 mcs9/2 mcs10/2 mcs11/2
11ac_ss34: mcs0/3 mcs1/3 mcs2/3 mcs3/3 mcs4/3 mcs5/3 mcs6/3 mcs7/3 mcs8/3 mcs9/3 mcs10/3 mcs11/3 mcs0/4 mcs1/4 mcs2/4 mcs3/4 mcs4/4 mcs5/4 mcs6/4 mcs7/4 mcs8/4 mcs9/4 mcs10/4 mcs11/4

. . .

Verify that there are as many VAP config entries as there are [Radios X SSID] entries configured in the FortiGate. If any entry is missing, it indicates some part of the config has not been synced with the FortiAP. Also, check to see that the corresponding WLAN IDs have "ADMIN_UP" status as shown below. 

FortiAP# cw_diag -c vap-cfg | grep WLAN
Radio Id 0 WLAN Id 0 da12Sasaz ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
Radio Id 0 WLAN Id 1 fortinet ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
Radio Id 0 WLAN Id 2 Corp-SSID ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
Radio Id 1 WLAN Id 0 da12Sasaz ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
Radio Id 1 WLAN Id 1 fortinet ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)
Radio Id 1 WLAN Id 2 Corp-SSID ADMIN_UP(INTF_UP) init_done 0.0.0.0/0.0.0.0 unknown (-1)

Review errors in Fortigate Wireless-Controller CLI.

There are several diagnostic wireless controller CLIs available in FortiGate that can be used to quickly check errors that could be affecting communication with FortiAPs. Review the configs in CLI first to ensure it is as intended using the CLI command 'show wireless-controller vap'.

Use the below CLI command to check for any errors:

FortiGate# diagnose wireless-controller wlac -c wtp
-------------------------------WTP 1----------------------------
WTP vd : root
vfid : 0
id : FP431FTFxyzxyzxyz
uuid : 6060976e-0a69-51ec-3080-0f744b57ee2d
mgmt_vlanid : 0
region code : A 
regcode status : valid
refcnt : 3 own(1) wtpprof(1) ws(1)
apcfg status : N/A,N/A cfg_ac=0.0.0.0:0 val_ac=0.0.0.0:0 cmds T 0 P 0 U 0 I 0 M 0
apcfg cmd details:
plain_ctl : disabled
deleted : no
image-dl(wtp,rst): yes,no
admin : enable
cfg-wtp-profile : Forti-AP-profile-1
override-profile : enabled
oper-wtp-profile : resv-dflt-FP431FTFxyzxyzxyz
wtp-mode : normal
wtp-wanlan-mode : wan-only
. . .
split-tunneling-acl-path : local
split-tunneling-local-ap-subnet : disabled
energy-efficient-ethernet : disabled
active sw ver : FP431F-v6.4-build0163
local IPv4 addr : 172.16.218.10
board mac : d4:76:a0:db:ea:00
join_time : Tue Aug 5 08:35:01 2025
mesh-uplink : ethernet
mesh hop count : 0
parent wtp id :
connection state : Connected
image download progress: 0
last failure : 0 -- N/A      <----- Review this section for sync failure reasons.
last failure param:
last failure time: N/A
station info : 0/0
geo : World (0)
deployment : cfg platform-determined oper indoor
LAN :
rId : 3
cnt : 2
port 1 : mode offline(0)
port 2 : mode offline(0)
LLDP : enabled (total 1)
local port : lan1
chassis id : mac d4:76:a0:ab:66:1a
sys name : FortiGate-81F            <----- Verify that this field is not empty.
sys description : FortiGate-81F v7.2.10,build1706,240918 (GA.M)
capability : Router
port id : LAN2
port description : Not received
MAU oper type :
ip : 172.16.218.1
vlan id : N/A
SNMP : disabled
WAN port authentication: none
WAN port 802.1x EAP method: all
Capability :
local standalone : enabled
. . .
no rouge ap sta : enabled
vap acl range/wildcard mac : disabled
Radio 1 : AP
80211d enable: : enabled
country name : US    <----- Verify that the country name and code are accurate and not empty.
country code : 841
drma_manual_mode : ncf
radio_type : 11AX
channel list : 1 6 11
darrp : disabled
airtime fairness : disabled
bss color mode : Auto
bss color(actual): 0
txpower : 100% (calc 30 oper 30 max 30 dBm)
beacon_intv : 100
rts_threshold : 2346
frag_threshold : 2346
ap scan : disable
ap scan passive : disabled
sensor mode : disabled
ARRP profile : ---
WIDS profile : ---
wlan 0 : Forti-AP-1
wlan 1 : Internal-Users
wlan 2 : Corp-SSID-2
max vaps : 8
base bssid : d4:76:a0:db:ea:08
oper chan : 6
noise_floor : -95
chutil : enabled
oper chutil time : Tue Aug 5 09:49:32 2025 (age=7)
oper chutil data : 64,64,68,64,69, 68,60,65,67,64, 66,62,61,66,64 ->newer
station info : 0/0
Radio 2 : AP
80211d enable: : enabled
country name : US   <----- Verify that the country name and code are accurate and not empty
country code : 841
drma_manual_mode : ncf
radio_type : 11AX_5G
channel list : 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 ...
darrp : disabled
airtime fairness : disabled
bss color mode : Auto
bss color(actual): 0
txpower : 100% (calc 28 oper 22 max 28 dBm)
beacon_intv : 100
rts_threshold : 2346
frag_threshold : 2346
ap scan : disable
ap scan passive : disabled
sensor mode : disabled
ARRP profile : ---
WIDS profile : ---
. . .
oper chutil time : Tue Aug 5 09:49:32 2025 (age=7)
oper chutil data : 3,3,3,2,5, 3,6,5,3,4, 2,2,5,3,2 ->newer
station info : 0/0
Radio 3 : Monitor
ap scan passive: disabled
sensor mode : disabled
auto suppress : disabled
fgscan rptintv : 15
spectrum analysis: scan only
ARRP profile : ---
WIDS profile : ---
Radio 4 : Virtual Lan AP
max vaps : 0
base bssid : 00:00:00:00:00:00
station info : 0/0
Radio 5 : Not Exist
WAN/LAN stats :
: lan1 rx,tx bytes 13838486,28566911 packets 32714,36120 errors 0,0 dropped 206,0  <----- Check for increasing errors/drop counters.
: lan2 rx,tx bytes 0,0 packets 0,0 errors 0,0 dropped 0,0
status :
uplink status : 
lan1 carrier=1, speed=1000, duplex=full
lan2 carrier=0, speed=0, duplex=
-------------------------------Total 1 WTPs----------------------------

FortiGate-81F #

Here are some common errors seen with this diagnostic command:

• WLAN DEL / ADD errors:

FortiGate# diagnose wireless-controller wlac -c wtp | grep failure

last failure : 34 -- 80211 WLAN DEL error

The possible reasons for this error are the same as explained in section 2, FortiAP L2/L3 connectivity issues.

• Empty country string:

FortiGate# diagnose wireless-controller wlac -c wtpprof 231G | grep country

Issue:

country name : --
country code : N/A

If the country name/code field is empty or incorrect, it could cause connectivity issues or config-sync issues. Ensure these fields are accurate and not empty.

The following is what an output should look like (good example):

cfg country : 250
cfg country str : FR
cfg country : 250
cfg country str : FR
cfg country : 250
cfg country str : FR

• Control message maximal retransmission limit reached:

FortiGate# diagnose wireless-controller wlac -c wtp | grep failure
last failure : 8 -- Control message maximal retransmission limit reached
last failure param: N/A
last failure time: Fri Aug 05 12:39:18 2025
last failure : 8 -- Control message maximal retransmission limit reached
last failure param: N/A

Control message max retransmission errors indicate possible task completion failures or even connectivity issues with FortiAP., review the event logs and apply packet sniffers on the FORTIGATE to analyze further on possible causes for the issue.

• FortiAP Radio status:

FortiGate# cw_diag -c radio-cfg

Radio 0: Failed
Radio 1: Failed

Ensure the Radios have not gone into a failed state, restart the FortiAP or factory reset to try to recover from the issue, and then attempt to push the configs from FortiGate again by authorizing and adding the FortiAP.

Review system resources utilization.

Check for any overutilization of system resources like CPU/memory/storage on both FortiGate and FortiAP using the below CLI commands. This could cause the cw_acd daemon to not get enough cycle cycles (or the cw_acd daemon itself is the top CPU/memory consuming process)and cause config-sync and other issues with FortiAPs.

On the FortiGate:

Look for the cw_acd daemon to see if it is busy and hogging system resources.

FortiGate# get system performance top

Run Time: 210 days, 0 hours and 45 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 3717T, 2206F

cw_acd 275 S 2.3 2.9 3

node 235 S 1.3 1.8 3
flcfgd 294 R 1.1 0.3 6
newcli 6083 R 0.1 0.3 6
wad 287 S 0.0 1.1 6
wad 285 S 0.0 1.1 0

FortiGate# get sys performance status
CPU states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 2% user 0% system 0% nice 98% idle 0% iowait 0% irq 0% softirq
. . .
Memory: 3806360k total, 1200236k used (31.5%), 2265596k free (59.5%), 340528k freeable (9.0%)

Note:

Restarting cw_acd daemon in the FortiGate might be a possible remedy, but upon restarting this process, all the FortiAPs will get disconnected and reconnect.

On the FortiAP:

Use the CLI command below to check the status of CPU and memory utilization on the FortiAP. Use the FortiGate GUI option to SSH to FortiAP or directly console/SSH to FortiAP to run the commands below.

FortiAP# cw_diag sys-performance

CPU Load : 6%
CPU1 Load : 8%
CPU2 Load : 2%
CPU3 Load : 7%
CPU4 Load : 7%

Memory Usage: 34%

FortiAP# otop -n 3 -d 3

Mem: 352820K used, 538468K free, 1252K shrd, 15208K buff, 59912K cached
CPU: 1% usr 1% sys 0% nic 93% idle 0% io 0% irq 2% sirq
Load average: 0.25 0.16 0.09 2/204 11137
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
4752 1 admin S 13964 2% 1% /sbin/cwWtpd_spectral
1993 1 admin S 4316 0% 1% /usr/bin/monit -c /etc/monitrc
4075 1 admin S< 18200 2% 0% /sbin/cwWtpd
1064 2 admin SW< 0 0% 0% [scheduler_threa]
1665 1 admin S 15024 2% 0% {kore [parent]} kore -nc fap_backend/fap_backend.conf
11037 6754 admin R 4704 1% 0% /usr/bin/top
6693 1672 admin S 4520 1% 0% /usr/sbin/dropbear -R -B -j
4668 1 admin S 4400 0% 0% /sbin/ble
4753 1 nobody S 1724 0% 0% avahi-daemon: running [FortiAP-431F.local]
2881 1 admin S 780 0% 0% /sbin/rngd -r /dev/hwrng -W 2048 -s 256
1668 1665 admin S 15344 2% 0% {kore [wrk 1]} kore -nc fap_backend/fap_backend.conf
1667 1665 admin S 15116 2% 0% {kore [keymgr]} kore -nc fap_backend/fap_backend.conf
1095 1 admin S 5508 1% 0% /usr/bin/cnssdaemon
2589 1 admin S 5260 1% 0% /sbin/hostapd
6754 6693 admin S 4888 1% 0% -fapcli
2590 1 admin S 4688 1% 0% /sbin/fapportal

FortiAP# top

Example output of the 'top' CLI command on a FortiAP:

Monitor the resource utilizations over several minutes with the above CLI, top processes in the list, and any anomalies in the above output.

CAPWAP packet sniffers.

FortiGate uses the CAPWAP protocol (Control and Provisioning of Wireless Access Points) to manage FortiAPs over two channels:

1. Control channel over UDP port 5246 for management-related traffic, and
2. Data channel over UDP port 5247 for data traffic.

Use the packet sniffer on FortiGate with filters as shown below and verify the bidirectional CAPWAP control and data traffic flows. In the example below, FortiGate wireless-controller (internal3) IP address is 172.16.218.1, and the FortiAP IP address (DHCP assigned) is 172.16.218.10.

FortiGate-81F # diagnose sniffer packet any "udp port 5246 or udp port 5247" 4
interfaces=[any]
filters=[udp port 5246 or udp port 5247]
9.562948 internal3 in 172.16.218.10.46095 -> 172.16.218.1.5247: udp 616
9.562968 internal3 in 172.16.218.10.46095 -> 172.16.218.1.5247: udp 616
9.567405 internal3 out 172.16.218.1.5246 -> 172.16.218.10.15246: udp 787
9.629269 internal3 in 172.16.218.10.15246 -> 172.16.218.1.5246: udp 87
9.629358 internal3 in 172.16.218.10.15246 -> 172.16.218.1.5246: udp 77
9.630218 internal3 out 172.16.218.1.5246 -> 172.16.218.10.15246: udp 65
9.633050 internal3 in 172.16.218.10.15246 -> 172.16.218.1.5246: udp 270
9.633272 internal3 out 172.16.218.1.5246 -> 172.16.218.10.15246: udp 65
11.765002 internal3 in 172.16.218.10.46095 -> 172.16.218.1.5247: udp 616
CAPWAP Keep Alive
11.884889 internal3 out 172.16.218.1.5247 -> 172.16.218.10.46095: udp 30
CAPWAP Keep Alive
11.887353 internal3 in 172.16.218.10.46095 -> 172.16.218.1.5247: udp 1079
11.887393 internal3 in 172.16.218.10.46095 -> 172.16.218.1.5247: udp 1249

. . .

Additionally, packet captures in PCAP format can be collected from the FortiGate in the GUI for more detailed analysis of the packets by going to Network -> Diagnostics -> Packet capture and enabling the appropriate filters as shown in the example below:

Packet captures in the FortiGate GUI:

Wireshark view of the pcap downloaded from FortiGate GUI, showing CAPWAP and DLTS traffic between FortiAP and FortiGate.

Note:

For more detailed analysis of CAPWAP traffic between FortiGate and FortiAP, use the packet sniffer configuration discussed in the documentation here: CAPWAP and wireless traffic packet sniffer configurations.

Additional CLI commands.

The following are some additional diagnostic CLI commands that can be used while troubleshooting configuration push issues.

FortiGate:

get sys status

get hardware status

diagnose debug crashlog read

show wireless-controller wtp

show wireless-controller vap

diagnose wireless-controller wlac -c ws
diagnose wireless-controller wlac -c wtp
diagnose wireless-controller wlac -c vap
diagnose wireless-controller wlac -c sta

show

diagnose debug report

FortiAP:

fap-get-status                       <----- Basic info about the FortiAP unit.
get current info                     <----- Review status of Radios, VAPs and networking.
cfg -s                               <----- Review the variables and check for any incorrect entries.

rcfg                                 <----- Radio configurations, compare with FortiGate.
vcf                                  <----- VAP configurations, compare with FortiGate.
date                                 <----- Ensure time is in sync.
Ut                                   <----- Current uptime and wtp daemon start times.

top                                  <----- Shows the top processes using CPU/memory/swap.
crash or diag_debug_crashlog read    <----- Check for any crash log entries.

Kp or cw_diag kernel-panic           <----- Check for any kernel crash entries.

fap-tech                             <----- FortiAP tech report.

Additional FortiAP diagnostic CLIs are listed here: FortiAP CLI diagnostic commands.

FortiGate Wireless-Controller debugs.

Following cw_acd wireless-controller related debugs can be enabled on FortiGate, which will print useful debugs. Ensure debugs are enabled with filters where available (like wlac sta_filter), as it can be verbose and could cause CPU spikes.

cw_acd daemon debugs:

FortiGate# diagnose debug console timetamp enable
FortiGate# diagnose debug application cw_acd 0x7f

FortiGate# diagnose debug enable
Debug messages will be on for 30 minutes.

FortiGate# diagnose debug disable

wlac sta debugs:

FortiGate#diagnose wireless-controller wlac sta_filter <MAC> <verbose>
FortiGate#diagnose wireless-controller wlac sta_filter ab.cd.ef.gh.ij.kl 255
FortiGate#diagnose debug enable

Debug messages will be on for 30 minutes.

FortiGate# diagnose debug disable

Note:

More details on wireless-controller WLAC debug processes are available in Troubleshooting Tip: Debugging a wireless client connection issue using client MAC address.

FortiAP debugs:

Debug commands can be run on the FortiAP as well, for the CAPWAP WTP daemon called cwWtpd, by running the following CLI commands. Use these commands with caution, as the output can be verbose.

Syntax : cw_debug app <app_name> [debug_var]

FortiAP# cw_debug app cwWtpd 255

FortiAP# cw_debug on

<debugs will print>

FortiAP# cw_debug off

SSID profile corruptions.

If the issue with config sync is still not remediated after following the steps above, the SSID profile may have been corrupted. This may occur after power outages and unexpected reboots of FortiGate. Any subsequent configuration changes from FortiGate might not get pushed to the FortiAP.

To troubleshoot this, start by making a small number of incremental changes to the SSID config in FortiGate, then check to see if the changes were reflected on the FortiAP VAP config. If not, this indicates a possible corruption of one of the SSID configurations. The next step is to unlink all the attached SSIDs from the specific FortiAP under WiFi & Switch Controller -> Managed FortiAPs -> Edit the specific FortiAP -> SSIDs -> Manual, and re-add one at a time (for both Radios) to see which specific SSID profile is causing the issue, as shown in the screenshot below.

After locating the SSID profile with the issue, create a clone of that SSID profile and replace it with the original one. Retry again by assigning this new SSID and confirm FortiAP is receiving this VAP config.

Manual selection of SSID profiles to incrementally check which SSID profile might be corrupted:

Note:

1. If it still does not help and the config sync issue persists, create a new FortiAP profile (either clone or build new) just for this FortiAP that is having the issue, assign the FortiAP to this new profile, and verify if the configurations are now syncing from the FortiGate.
2. Disabling CAPWAP offload on the FortiGate for testing purposes to see whether the issue is remediated is a troubleshooting option, but should be done with caution and used with the help of Fortinet TAC.

FortiGate# config system npu
FortiGate(npu)# set capwap-offload disable
FortiGate(npu)# end

set capwap-offload   : Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.

Terminology.

The following are some common terms used in the context of FortiGate as wireless-controller and FortiAPs.

1. wtp: Wireless Termination Points (WTPs), that is, FortiAPs or APs to be managed by FortiGate (FortiAP profiles & local overrides).
2. VAP: Virtual Access Points (VAPs), which correspond to the SSID profiles configs from FortiGate.
3. wids: wireless intrusion detection system (WIDS) feature in FortiAP.
4. CAPWAP: Control And Provisioning of Wireless Access Points (CAPWAP), is the protocol used by FortiGate (as a wireless controller to manage FortiAPs).
5. cw_acd: 'capwap wireless - aggregate controller daemon' in FortiGate to manage FortiAPs.

Related articles:

Troubleshooting Tip: The SSID is not broadcasting Issue on FortiAP/FortiGate setup

Technical Tip: High memory due to the cw_acd process and potential causes

FortiAP CLI diagnostic commands

Technical Tip: Changing country setting on a wireless controller