Technical Tip: Low performance on tunnel-mode SSID while bridge-mode SSID works normally

Description

This article describes how to improve the performance of tunnel-mode SSIDs in environments using Fortinet FortiAP devices.

Scope

FortiGate, FortiAP.

Solution

There have been reports of low performance on tunnel-mode SSIDs in FortiAP environments when compared to bridge-mode SSIDs.

Resolution:

The recommended way to resolve these cases is to change the default dtls-policy setting to clear-text in the WTP profile associated with the impacted SSID, as shown below:

config wireless-controller wtp-profile
    edit "FortiAP-profile-name"
        set dtls-policy clear-text
    next
end

Note:

The clear-text option disables encryption for the CAPWAP data channel between the FortiGate and the FortiAP.
In this mode, only the CAPWAP control channel remains encrypted, while user traffic is forwarded without DTLS encryption, this configuration provides the highest throughput performance because the FortiGate can hardware offload CAPWAP traffic processing in clear-text mode.

Additionally, this configuration reduces processing overhead for tunnel-mode SSIDs, since the FortiGate no longer needs to perform software-based DTLS encryption and decryption for wireless client traffic.

As a result, tunnel-mode performance can become much closer to bridge-mode performance.