APs have been manually configured to connect to FortiGate over an IPsec network, and FortiGate successfully detects and authorizes them. However, the APs remain unmanaged because FortiGate is unable to establish a CAPWAP tunnel with them. What configuration change can resolve this issue and enable FortiGate to establish the CAPWAP tunnel over the IPsec connection? (Choose one answer)

A. Assign a custom AP profile for the remote APs with the set mpls-connection option enabled.
B. Decrease the CAPWAP tunnel MTU size for APs to prevent fragmentation.
C. Configure a static route on FortiGate to reach the APs over the IPsec tunnel.
D. Upgrade the FortiAP firmware image to ensure compatibility with the FortiOS version.

Correct Answer: B

Brave-Dump Clients Votes

B 100%

Comments

kair ahmid 2025-08-15 23:11:05

Selected Answers: B

CAPWAP over IPsec adds additional overhead to the packet. If the tunnel MTU is too high, it can cause fragmentation, which many IPsec tunnels (depending on their configuration) don't handle well. This causes the discovery phase to work (which is why FortiGate detects the AP), but the CAPWAP tunnel establishment phase to fail.

Brave-Dumps Admin 2025-08-18 12:42:44

Selected Answers: B

B is correct As per study guide page 141