FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acardona
Staff
Staff
Article Id 369334
Description This article describes the solution and workaround when CAPWAP traffic is dropped.
Scope FortiGate 120G.
Solution

By default the CAPWAP traffic is offloaded, when this is enabled the CAPWAP traffic is blocked.

 

When running the debug flow, the following debug line could be seen, to confirm the session is installed in the NPU.

 

id=65308 trace_id=2 func=ip_session_install_npu_session line=386 msg="npu session installation succeeded"

 

The session is never established because FortiGate does not send the traffic, it is dropped instead.

 

As a workaround, the following configuration could be applied.

 

config system npu

    set capwap-offload disable

end

 

The solution is to upgrade to v7.6.1.

 

Related article:

Technical Tip: How to disable CAPWAP offloading for FortiAPs without disrupting wireless traffic 

Note: Only apply when the FortiGate is working with FortiAP.