FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 207852
Description This article describes debug commands and other tips to use when troubleshooting managed FortiAP issues on the FortiGate side.
Scope FortiGate, FortiAP.

1) Debug Commands.


The output of these debug commands can be captured when troubleshooting managed FortiAP issues on the FortiGate side:




Capture and review interface, DHCP, NTP, DNS config.


# show full system interfac

# show full system dhcp serve

# show full system nt

# show full system dn


Crashlog and Other Wireless Controller Status.


FortiGate crashlog (check for cw_acd, wpad_ac, cw_wtpd, cw_stad processes crashing).


# diagnose debug crashlog rea


Shows the equivalent of what is shown in the wifi monitor GUI but on CLI.
# diag wireless-controller wlac -d st
Shows list of FortiAPs that are managed by the FortiGate.
This is good because it shows WTP ID which can be used to see which peripheral unit is connected to which physical FortiAP.
# diag wireless-controller wlac -d wt  
Similar to exec tac report but for FortiAP, in case something is missed during remote session.
# diag wireless-controller wlac show all  

Real-time Debug


The following real-time debug commands should be capture simultaneously in separate CLI windows/log files:


CLI session #1.


Replace portX with the FortiGate port that the FortiAP is connected to and capture the CAPWAP management, DHCP and ARP packets.

# diag sniff packet portX “arp or udp port 5246 or udp port 67” 6 0


CLI session #2.

# diag wireless-controller wlac wtp_filter FP11223344556677 0- 2 <----- Replace the FP11223344556677 and with actual serial number and IP address of the FortiAP, respectively).

# diag debug console timestamp e
# diag debug application cw_acd 0x7f
# diag debug enabl


To disable debug.


# diag debug application cw_acd


2) Connecting to FortiAP Directly to Configure Wireless Controller IP Address (FortiGate CAPWAP interface IP).


In some cases, it is necessary to connect to the FortiAP directly via SSH/Telnet or HTTPS/HTTP to confirm if the AC_IPADDR is configured properly (AC_IPADDR defaults to


If the FortiGate port with CAPWAP enabled is anything other than the default IP, then it will be necessary to manually configure the AC_IPADDR (wireless controller IP address) in each FortiAP.


Details about FortiAP Controller Discovery methods:


3) Ensure FortiAP obtains valid time via local NTP server on the FortiGate.


Valid time via NTP synchronization is required to ensure that the certificate exchange in the CAPWAP tunnel establishment process succeeds.

Ensure that the FortiGate is configured as a local NTP server on the interface that the FortiAP is connected to.

Related article.