Fortigate Firewall HA master election

 There are 2 conditions for MASTER election.
1) (ha-override disable) :
Master is selected in the following sequence
1. Number of “UP” monitored port
2. HA-uptime
3. HA priority
4. FGT serial number
2) (ha-override enable) :
Master is selected in the following sequence
1. Number of “UP” monitored port
2. HA priority
3. HA-uptime
4. FGT serial number
If ha overried is disabled then:
# you can just do fail-over  by reseting the HA uptime on the Master
So, no reboot (or) unplugging cable for a HA failover
Reference link:

Fortinet FAP discovery issues and troubleshooting process(For integrated wifi AP models only)

>By default Fortigate supported AP models  uses CAPWAP for discovery and tunnel traffic

UDP port 5346 for discovery
UDP port 5347 for control/data traffic

>In cases where APs not able to discover the fortigate wifi controller, you need to look port 5346 to see if really any traffic hitting your foritgate wifi controller
Note:
>After you confirmed that foriAPs are running on supported version of firmware for fortiOS
>AP is able to get an DHCP IP address, then you could check for the following:

step1:
Try running a capture on fortigate CAPWAP  enabled interface

#command:
diag sniffer packet lan “port 5246 ” 4 0 a

2016-11-01 09:16:13.754033 lan — 192.168.242.59.5246 -> 192.168.242.63.5246: udp 81
2016-11-01 09:16:14.759783 lan — 192.168.242.63.5246 -> 192.168.242.59.5246: udp 177
2016-11-01 09:16:14.762178 lan — 192.168.242.59.5246 -> 192.168.242.63.5246: udp 81
2016-11-01 09:16:15.751710 lan — 192.168.242.63.5246 -> 192.168.242.59.5246: udp 177
2016-11-01 09:16:15.753937 lan — 192.168.242.59.5246 -> 192.168.242.63.5246: udp 81
2016-11-01 09:16:16.751617 lan — 192.168.242.63.5246 -> 192.168.242.59.5246: udp 177

Step2 :
Try to run a diagnose on application to see if the discovery is hitting and whether fortigate wifi controller is not responding or if responding with an error.

#commands:
di debug application cw_acd 4
diagnose debug console tim enable
diagnose debug enable

>In our case your see a working discovery log below:

2016-11-01 17:33:47 32067.065 CAPWAP Control Header Dump:
2016-11-01 17:33:47 32067.065 msgType : 9 WTP_EVENT_REQ 192.168.242.63:5246
2016-11-01 17:33:47 32067.066 seqNum : 87
2016-11-01 17:33:47 32067.066 msgElemLen : 25
2016-11-01 17:33:47 32067.066 flags : 0
2016-11-01 17:33:47 32067.066 ws (0-192.168.242.63:5246) cwAcProcPlainCtlMsg: received WTP_EVENT_REQ from ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.066 ws (0-192.168.242.63:5246) <msg> WTP_EVENT_REQ (87) <== ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.066 ws (0-192.168.242.63:5246) <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.067 ws (0-192.168.242.63:5246) acWtpSessionThread: SSL_read() returned -1 ssl_err 2
2016-11-01 17:33:47 32067.067 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================
2016-11-01 17:33:47 32067.067 ws (0-192.168.242.63:5246) CWAS_RUN_enter: sending WTP_EVENT RESP msg.
2016-11-01 17:33:47 32067.067 ws (0-192.168.242.63:5246) acDtlsWrite: sending 24 bytes to ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.068 CAPWAP Hdr: P/T=0/0 len=2 RID=0 WBID=1 T=0 F=0 L=0 W=0 M=0 K=0 resv=0 frag=0/0 resv=0
2016-11-01 17:33:47 32067.068 CAPWAP Control Header Dump:
2016-11-01 17:33:47 32067.068 msgType : 10 WTP_EVENT_RESP 192.168.242.63:5246
2016-11-01 17:33:47 32067.068 seqNum : 87
2016-11-01 17:33:47 32067.068 msgElemLen : 11
2016-11-01 17:33:47 32067.068 flags : 0
2016-11-01 17:33:47 32067.069 ws (0-192.168.242.63:5246) acDtlsWrite: SSL_write() was successful
2016-11-01 17:33:47 32067.069 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 2====================
2016-11-01 17:33:47 32067.069 ws (0-192.168.242.63:5246) acProcOutCipherCtrlMsg: sent msg (81 bytes) to ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.314 ws (0-192.168.242.63:5246) cwAcProcCipherCtlMsg: wrote 93 to ws (0-192.168.242.63:5246) socket 27, rc: 93 (success)
2016-11-01 17:33:47 32067.314 ws (0-192.168.242.63:5246) acWtpSessionThread: SSL_read() returned 38 ssl_err 0
2016-11-01 17:33:47 32067.314 ws (0-192.168.242.63:5246) cwAcProcPlainCtlMsg: meInfo->log_disable 0
2016-11-01 17:33:47 32067.315 CAPWAP Control Header Dump:
2016-11-01 17:33:47 32067.315 msgType : 9 WTP_EVENT_REQ 192.168.242.63:5246
2016-11-01 17:33:47 32067.315 seqNum : 88
2016-11-01 17:33:47 32067.315 msgElemLen : 25
2016-11-01 17:33:47 32067.315 flags : 0
2016-11-01 17:33:47 32067.315 ws (0-192.168.242.63:5246) cwAcProcPlainCtlMsg: received WTP_EVENT_REQ from ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.316 ws (0-192.168.242.63:5246) <msg> WTP_EVENT_REQ (88) <== ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.316 ws (0-192.168.242.63:5246) <aev> – CWAE_WTP_EVENT_REQ_RECV ws (0-192.168.242.63:5246)
2016-11-01 17:33:47 32067.316 ws (0-192.168.242.63:5246) acWtpSessionThread: SSL_read() returned -1 ssl_err 2
>In cases were AP lost the communication with foritgate wifi controller, you would start seeing the following timout in the debug.
2016-11-01 17:34:56 32137.455 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 120 dbg 00000004 pkts 5740 0
2016-11-01 17:34:56 32137.455 ws (0-192.168.242.63:5246) <aev> – CWAE_RPT_INTERVAL_EXPIRE ws (0-192.168.242.63:5246)
2016-11-01 17:34:56 32137.456 ws (0-192.168.242.63:5246) <aev> – CWAE_10_SEC_EXPIRE ws (0-192.168.242.63:5246)
2016-11-01 17:34:56 32137.456 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================
2016-11-01 17:34:56 32137.456 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 2====================
2016-11-01 17:34:56 32137.457 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================
2016-11-01 17:34:56 32137.457 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 2====================
2016-11-01 17:34:57 32138.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 121 dbg 00000004 pkts 5740 0
2016-11-01 17:34:58 32139.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 122 dbg 00000004 pkts 5740 0
2016-11-01 17:34:59 32140.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 123 dbg 00000004 pkts 5740 0
2016-11-01 17:35:00 32141.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 124 dbg 00000004 pkts 5740 0
2016-11-01 17:35:01 32142.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 125 dbg 00000004 pkts 5740 0
2016-11-01 17:35:02 32143.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 126 dbg 00000004 pkts 5740 0
2016-11-01 17:35:03 32144.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 127 dbg 00000004 pkts 5740 0
2016-11-01 17:35:04 32145.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 128 dbg 00000004 pkts 5740 0
2016-11-01 17:35:05 32146.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 129 dbg 00000004 pkts 5740 0
2016-11-01 17:35:06 32147.454 ws (0-192.168.242.63:5246) FSM AC (1) -> WTP State: CWAS_RUN (12) accept 3 live 130 dbg 00000004 pkts 5740 0
2016-11-01 17:35:06 32147.454 ws (0-192.168.242.63:5246) <aev> – CWAE_AC_ECHO_INTV_TMR_EXPIRE ws (0-192.168.242.63:5246)
2016-11-01 17:35:06 32147.455 ws (0-192.168.242.63:5246) <aev> – CWAE_10_SEC_EXPIRE ws (0-192.168.242.63:5246)
2016-11-01 17:35:06 32147.455 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================
2016-11-01 17:35:06 32147.455 ws (0-192.168.242.63:5246) <aev> – CWAE_WTP_ECHO_REQ_FAIL ws (0-192.168.242.63:5246)
2016-11-01 17:35:06 32147.455 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 2====================
2016-11-01 17:35:06 32147.455 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================
2016-11-01 17:35:06 32147.456 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 2====================
2016-11-01 17:35:06 32147.456 ws (0-192.168.242.63:5246) =====================cwAcFsmThread ws (0-192.168.242.63:5246) 16 1====================

>And its entry gets flushed from online AP table

2016-11-01 17:35:06 32147.456 ws (0-192.168.242.63:5246) cwAcStaFlush_ws: free 0 sta from cw_sta_tree for ws (ws (0-192.168.242.63:5246))
2016-11-01 17:35:06 32147.457 ws (0-192.168.242.63:5246) cwAcIhapdDelWtp remove ifaces 0x5662750 for ws (0-192.168.242.63:5246) rId 0
2016-11-01 17:35:06 32147.457 ws (0-192.168.242.63:5246) cwAcStaFlush_ws: free 0 sta from cw_sta_tree for ws (ws (0-192.168.242.63:5246))
2016-11-01 17:35:06 32147.457 ws (0-192.168.242.63:5246) cwAcIhapdDelWtp remove ifaces 0x5663ce0 for ws (0-192.168.242.63:5246) rId 1
2016-11-01 17:35:06 32147.457 ws (0-192.168.242.63:5246) cwAcStaFlush_ws: free 0 sta from cw_sta_tree for ws (ws (0-192.168.242.63:5246))
2016-11-01 17:35:06 32147.458 ws (0-192.168.242.63:5246) cwAcPendingMsgClr: Clear pending msg queue Cnt 0 H 20 T 20 last txMsg unknown
2016-11-01 17:35:06 32147.458 ws (0-192.168.242.63:5246) cwAcDtlsSessionStop_chan: data channel dtls ctx does not exist
2016-11-01 17:35:06 32147.458 ws (0-192.168.242.63:5246) cwAcDtlsSessionStop_chan free ssl 0x55abfe0
2016-11-01 17:35:06 32147.459 ws (0-192.168.242.63:5246) cwAcDtlsSessionStop_chan: deregistering acProcOutCipherCtrlMsg
2016-11-01 17:35:06 32147.459 ws (0-192.168.242.63:5246) cwAcDtlsSessionStop_chan: deregistering acWtpSessionThread
2016-11-01 17:35:06 32147.459 ws (0-192.168.242.63:5246) <aev> – CWAE_WTP_SESSION_RELEASED ws (0-192.168.242.63:5246)
2016-11-01 17:35:06 32147.459 ws (0-192.168.242.63:5246) acRemoveIPv4SessionHashEntry: removing ws 0x567c1e8 ws (0-192.168.242.63:5246) at index2 233
2016-11-01 17:35:06 32147.459 ws (0-192.168.242.63:5246) acRemoveIPv4SessionHashEntry: removing 0x567c1e8 from 0’th entry (next:(nil))
2016-11-01 17:35:06 32147.460 ws (0-192.168.242.63:5246) acRemoveIPv4SessionHashEntry: removing ws 0x567c1e8 ws (0-192.168.242.63:5246) at index 231
2016-11-01 17:35:06 32147.460 ws (0-192.168.242.63:5246) acRemoveIPv4SessionHashEntry: removing 0x567c1e8 from 0’th entry (next:(nil))