We are getting the following error message multiple times on an AP migrated to SD-WAN (travelling via IPSEC instead of previous MPLS WAN Link), meaning encapsulation for CAPWAP + IPSEC Encap.
*Aug 19 16:27:36.000: %CAPWAP-3-DATA_KEEPALIVE_ERR: Failed to receive data keep-alive *Aug 19 16:27:36.000: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.1.1.1:5246
I checked another post about AP GROUP Name using "_" as the reason but that is not the case for us. So further investigation lead me to the following link thinking that some larger packets were dropped so MTU could be a reason.
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/211405-Configure-CAPWAP-Path-MTU-Discovery.html
Next the MTU negotiated by the AP to the WLC
(Cisco Controller) >show ap config general APTESTING
Cisco AP Identifier.............................. 520
Cisco AP Name.................................... APTESTING
CAPWAP Path MTU.................................. 576
Cisco AP Group Name.............................. TESTINGACCESSPOINT
Primary Cisco Switch Name........................ DC-WiFi-WLC