Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fmerin_FTNT
Staff
Staff

Created on ‎03-29-2022 10:36 PM Edited on ‎08-14-2025 05:31 AM By Community Manager

Article Id 207852

Troubleshooting Tip: Managed FortiAP Issues

Description This article describes debug commands and other tips to use when troubleshooting managed FortiAP issues on the FortiGate side.
Scope FortiGate, FortiAP.
Solution
  1. Debug Commands: The output of these debug commands can be captured when troubleshooting managed FortiAP issues on the FortiGate side:
 

Configuration.

 

Capture and review the interface, DHCP, NTP, and DNS config.

 

show full system interface

show full system dhcp serve

show full system ntp

show full system dns

 

Crashlog and Other Wireless Controller Status.

 

FortiGate crash logs (check for cw_acd, wpad_ac, cw_wtpd, cw_stad processes crashing).

 

diagnose debug crashlog read

 

This command shows the equivalent of what is shown in the wifi monitor GUI but on CLI:
 

diagnose wireless-controller wlac -d st

 
The following command shows a list of FortiAPs that are managed by FortiGate. It shows WTP ID which can be used to see which peripheral unit is connected to which physical FortiAP.
 
diagnose wireless-controller wlac -d wtp  
 
This command is similar to exec tac report but for FortiAP, in case something is missed during the remote session.
 
diagnose wireless-controller wlac show all  
 

Real-time Debug:

 

The following real-time debug commands should be captured simultaneously in separate CLI windows/log files:

 

CLI session #1.

 

Replace portX with the FortiGate port that the FortiAP is connected to and capture the CAPWAP management, DHCP, and ARP packets.


diagnose sniffer packet portX “arp or udp port 5246 or udp port 67” 6 0

 

CLI session #2.


diagnose wireless-controller wlac wtp_filter FP11223344556677 0-1.2.3.4:5246 2 <----- Replace the FP11223344556677 and 1.2.3.4 with actual serial number and IP address of the FortiAP, respectively).


diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application cw_acd 0x7f
diagnose debug enable

 

To disable debug.

 

diagnose debug disable
diagnose debug reset

 

It is also important to check if the cw_acd is crashing with any signal in FortiOS in the crash log report.

      diagnose debug crashlog read

2915: 2023-09-22 13:19:38 <20631> application cw_acd
2916: 2023-09-22 13:19:38 <20631> *** signal 11 (Segmentation fault) received ***

  1. Connecting to FortiAP Directly to Configure Wireless Controller IP Address (FortiGate CAPWAP interface IP). In some cases, it is necessary to connect to the FortiAP directly via SSH/Telnet or HTTPS/HTTP to confirm if the AC_IPADDR is configured properly (AC_IPADDR defaults to 192.168.1.99).

 

If the FortiGate port with CAPWAP enabled is anything other than the default IP, then it will be necessary to manually configure the AC_IPADDR (wireless controller IP address) in each FortiAP.

 

Details about FortiAP Controller Discovery methods: Advanced WiFi controller discovery - FortiGate 6.0.0 handbook.

 

  1. Ensure FortiAP obtains valid time via local NTP server on the FortiGate. Valid time via NTP synchronization is required to ensure that the certificate exchange in the CAPWAP tunnel establishment process succeeds. Ensure that the FortiGate is configured as a local NTP server on the interface that the FortiAP is connected to.
  2. Verify if Security Fabric Connection option is checked under network interface connected to FortiAP as it is required for CAPWAP connectivity as per diagram below:

 

Security Fabric Connection.png

 
Related article:
Technical Tip: Configuring a FortiGate unit as a NTP server.
 
  1. Connecting to FortiAP via Wireless Controller if CAPWAP connectivity is up.

  2. Disable and re-enable POE on the switchport and check FortiAP status again.

     

    config switch physical-port
        edit <port>
            set poe-status {enable | disable}
        end

 

Configuring power over ethernet on a port - FortiSwitch.

 

Related documents:

Technical Tip: How to connect to FortiAP 5.4 from wireless controller using telnet, http, https, ssh

WiFi Network troubleshooting

Technical Tip: FortiAP troubleshooting

Troubleshooting Tip: Sample configuration to allow authorization of FortiAP connected to a Cisco Cat... 
21929
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.