Hi Collegues.
Can you help me solve a problem. There is an issue with connecting a Cisco AP 2802 access point to a Cisco 9800-L wireless controller.
The access point fails during the CAPWAP Discovery stage, and the following logs are observed on the AP console:

[*11/19/2024 18:22:27.7743] CAPWAP State: Discovery
[*11/19/2024 18:22:27.7788] Not Sending the TLV_AP_EWLC_TAGS_PAYLOAD.
[*11/19/2024 18:22:27.7791] Discovery Request sent to 10.1.2.7, discovery type STATIC_CONFIG(1)
[*11/19/2024 18:22:27.7845] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*11/19/2024 18:23:01.9391] Received Capwap watchdog update msg.
[*11/19/2024 18:23:34.6082] !!!!! {watchdogd} Unable to reach gateway for 1200 seconds

Network Diagram

Switch: Cisco CBS350 in L2 mode connects the controller and the AP.
Wireless Controller: Cisco 9800-L-F (physical) is configured with a management VLAN (VLAN 2, IP 10.1.2.7).
Access Point: Cisco AP 2802 connected in VLAN 60 (IP 10.1.60.10) on SW
Router: GW-1111 acting as the gateway and DHCP server for the network:
Router IP: 10.1.2.1.
DHCP server provides IP addresses for VLAN 60.

Error Details
The AP and controller can ping each other successfully.
However, the CAPWAP Discovery process fails, and the AP switches to standalone mode.

I guess there is a possible issues, incorrect trustpoint on the controller — does it need to be reconfigured or reissued?
What mode is recommended for configuring the controller — L2 between the router and the switch or L3?
What additional configurations are required to ensure successful CAPWAP Discovery?

GW Configuration:

interface GigabitEthernet0/1/2
description SW-C350
switchport
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk

interface Vlan2
description NETWORK-MGMT
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly

interface Vlan60
description LWAP
ip address 10.1.60.254 255.255.255.0
ip nat inside
ip virtual-reassembly

ip default-gateway 10.1.100.254

ip dhcp pool VLAN60
network 10.1.60.0 255.255.255.0
default-router 10.1.60.254
dns-server 8.8.8.8 8.8.4.4
lease 30
!

SW Configuration:

interface vlan 2
name NETWORK_MGMT
ip address 10.1.2.2 255.255.255.0

interface GigabitEthernet7
description AP-9130
spanning-tree link-type point-to-point
switchport mode trunk
switchport access vlan none
macro description "switch "
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet17
description 9800
switchport mode trunk
switchport access vlan none
switchport trunk native vlan 2
!
ip dhcp snooping
ip dhcp snooping information option allowed-untrusted
ip dhcp snooping vlan 2
ip default-gateway 10.1.2.1

9800 Configuration:

vlan 60
name LWAP

interface TwoGigabitEthernet0/0/0
switchport trunk native vlan 60
switchport mode trunk
negotiation auto
!
interface TwoGigabitEthernet0/0/1
negotiation auto
!
interface TwoGigabitEthernet0/0/2
negotiation auto
!
interface TwoGigabitEthernet0/0/3
no switchport
ip address 192.168.1.1 255.255.255.0
negotiation auto
!
interface TenGigabitEthernet0/1/0
description SW-C350
switchport trunk native vlan 2
switchport mode trunk
switchport nonegotiate
negotiation auto
!
interface TenGigabitEthernet0/1/1
no negotiation auto
no snmp trap link-status
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address dhcp
negotiation auto
!
interface Vlan1
no ip address
no ip proxy-arp
shutdown
!
interface Vlan2
ip address 10.1.2.7 255.255.255.0
no ip proxy-arp
!
ip default-gateway 10.1.2.1
ip route 0.0.0.0 0.0.0.0 10.1.2.1
!
!