Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
OskrKss
Staff
Staff

Created on ‎05-29-2025 01:20 PM Edited on ‎05-29-2025 01:22 PM By Moderator

Article Id 394194

Troubleshooting Tip: Enabling CAPWAP for FortiExtender

Description

This article describes why a new FortiExtender could not being shown under the 'Authorization' page after the discovery process, even with a correct FortiExtender configuration.

 

In this case, the FortiGate unit receives the discovery packets from the FortiExtender unit, but it is not able to reply those CAPWAP packets. As shown in the output below, the firewall (IP 192.168.100.1) is receiving CAPWAP traffic from the FortiExtender (IP 192.168.200.2), but there is no response:


FW01 (FW01) # diag sniffer packet any 'port 5246' 4 0 a
interfaces=[any]
filters=[port 5246]
2025-05-07 13:34:46.238884 port1 in 192.168.200.2.5246 -> 255.255.255.255.5246: udp 198
2025-05-07 13:34:47.234880 port1 in 192.168.200.2.5246 -> 255.255.255.255.5246: udp 198
2025-05-07 13:34:51.234907 port1 in 192.168.200.2.5246 -> 255.255.255.255.5246: udp 198

As a result, the FortiExtender is not shown to be authorized:

OskrKss_0-1748514489681.png
Scope

FortiGate and FortiExtender.
Solution

The wireless-controller module needs to be enabled for the CAPWAP activation:

 

FW01 # config global
FW01 (global) # config sys global
FW01 (global) # set wireless-controller enable
FW01 (global) # end
FW01 (global) # end
FW01 #

 

After enabling it, there is a correct CAPWAP flow and the FortiExtender unit is able to be authorized:

FW01 # diag sniffer packet any 'port 5246' 4 0 a
interfaces=[any]
filters=[port 5246]
2025-05-07 13:37:34.235812 port1 in 192.168.200.2.5246 -> 255.255.255.255.5246: udp 198
2025-05-07 13:37:34.236526 port1 out 192.168.200.1.5246 -> 192.168.200.2.5246: udp 116
2025-05-07 13:37:37.235830 port1 in 192.168.200.2.5246 -> 255.255.255.255.5246: udp 198
2025-05-07 13:37:37.236023 port1 out 192.168.200.1.5246 -> 192.168.200.2.5246: udp 116

 

The wireless-controller module is enabled by default in FortiOS. If there are no FortiAPs suitable to disable this function, if the 'disable' is done from the CLI, there is a warning message shown regarding the CAPWAP deactivation:

 

FW01 (global) # config system global
FW01 (global) # set wireless-controller disable
switch-controller & extender-wan will also be disabled

 

Note: Disabling the feature from the GUI will not show any alert when applied:

OskrKss_1-1748514572908.png
Labels:
359
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.