When FortiAPs connect to FortiGate overIPsec tunnels, this is treated similarly to WAN/MPLS deployments.
In these scenarios, FortiGate must know that CAPWAP must traverse anon-L2transport.
FortiAP profiles include:
set mpls-connection enable
This setting is required so that:
FortiGate can encapsulate CAPWAP inside the transport tunnel
Remote FortiAPs can establish CAPWAP even when behind routed/IPsec networks
Without this option, the FortiGate detects the AP butcannot bring CAPWAP UP, leaving the AP in “discovered/unauthorized” or “offline” state.
Why others are wrong
A. Static route→ Discovery already succeeds, so routing is not the issue.
C. Reduce MTU→ Sometimes useful for IPsec, but not required for CAPWAP establishment.
D. Firmware upgrade→ Firmware mismatch would show “Managed (upgrade required),” not CAPWAP tunnel failure.
Therefore,set mpls-connection enableis the required fix.