Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fortiraj_FTNT
Staff
Staff

Created on ‎09-09-2024 12:12 AM

Article Id 339806

Technical Tip: Managed FortiAPs are repeatedly disconnecting and reconnecting after FortiGate HA cluster upgrade

Description This article describes an issue with FortiAPs, where FortiGate-managed access points repeatedly join and leave the FortiGate HA cluster following an upgrade.
Scope FortiGate v7.2.7 and FortiAP.
Solution

After upgrading a FortiGate HA cluster and then upgrading the managed FortiAPs, the FortiAPs may start showing repeated join and leave events in the logs when the secondary FortiGate unit still has the WTP image. To check if the secondary unit in the HA cluster has FortiAP images stored, use the command 'execute wireless-controller list-wtp-image' on the cluster members.

 

Sample event logs:

 

date="2024-02-14" time="02:55:35"devid="FG6H0ETB20902638"vd="root" type="event"subtype="wireless" action="ap-leave"ap="DK-FRE-H01-AP01" bid=372225545 devname="DK-FRE-FG1"ip="10.147.25.186" level="notice" logdesc="Physical AP leave"logid="0104043552"logver=702071577meshmode="mesh root ap" msg="AP DK-FRE-H01-AP01 left.reason="AP image download finished"sn="FP231FTF2209AKSN"

 

date="2024-02-14" time="02:55:35"devid="FG6H0ETB20902638"vd="root"type="event"      subtype="wireless"action="ap-join" ap="DK-FRE-H01-AP01"bid=372225561devname="DK-FRE-FG1"    dstepid=3   ip="10.147.25.186"level="notice"logdesc="Physical AP join"logid="0104043551"logver=702071577  meshmode="mesh root ap" msg="AP DK-FRE-H01-AP01 joined."reason="N/A"sn="FP231FTF2209AKSN"

 

date="2024-02-14" time="02:55:07"devid="FG6H0ETB20902638"vd="root"type="event"      subtype="wireless" action="ap-leave"ap="DK-FRE-H01-AP01"bid=372225467devname="DK-FRE-FG1"ip="10.147.25.186"level="notice"logdesc="Physical AP leave"logid="0104043552"logver=702071577  meshmode="mesh root ap" msg="AP DK-FRE-H01-AP01 left."      reason="AP image download finished"      sn="FP231FTF2209AKSN"

 

date="2024-02-14" time="02:55:07"devid="FG6H0ETB20902638"vd="root"type="event"subtype="wireless"      action="ap-join"ap="DK-FRE-H01-AP01"bid=372225450devname="DK-FRE-FG1"ip="10.147.25.186"      level="notice"logdesc="Physical AP join"logid="0104043551"logver=702071577meshmode="mesh root ap" msg="AP DK-FRE-H01-AP01 joined."profile="PROD-EMEA-WAREHOUSE-FAP231F-GRP4"reason="N/A"      sn="FP231FTF2209AKSN"

 

This issue is listed as known issue 1001104 in Release notes       

 

Workaround: 

Delete the FortiAP images on the secondary FortiGate by running the following command.


execute wireless-controller delete-wtp-image all

 

Note:

While upgrading multiple managed FortiAPs, the units may go offline and come back online after a few minutes.

FortiGate sends the FortiAP image over the CAPWAP tunnel and this may cause the cw_acd process to get busy.

At this time, if FortiAPs did not receive keepalive messages from FortiGate, FortiAP will consider the CAPWAP is down and record 'Control message maximal retransmission limit reached'. This is an expected behavior.
467
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.