Troubleshooting Tip: 'Please set auto-transport-threshold shorter than negotiate-timeout' error

'Configuration file error. Please set auto-transport-threshold shorter than negotiate-timeout' encountered during VPN Phase 1 configuration changes.

This error message appears in FortiGate during configuration validation when setting up VPN tunnels (e.g., IPsec or SSL VPN) using auto-transport features. It indicates a misconfiguration between two timeout parameters in the VPN settings:

• auto-transport-threshold: Controls the time (in seconds) before the FortiGate automatically switches transport protocols (e.g., from UDP to TCP) if the primary connection fails.

Note: The  parameter auto-transport-threshold is not configurable on a FortiGate that is acting as the Dialup Server

• negotiate-timeout: Defines the overall timeout for IKE (Internet Key Exchange) negotiation during tunnel establishment.

The error triggers if auto-transport-threshold is set to a value greater than or equal to negotiate-timeout. This creates a logical conflict because the auto-switch mechanism cannot complete before the entire negotiation times out, leading to failed VPN connections, repeated retries, or stalled tunnel establishment.

The negotiate-timeout value configured as 15 seconds instead of the default 30 seconds results in a threshold mismatch error.

config vpn ipsec phase1-interface
    edit test

        set negotiate-timeout 15  <----- The negotiate-timeout value is configured as 15 seconds. Default = <30>.

end

After setting the negotiate-timeout value to 30 seconds, Phase 1 configuration changes can be completed without any errors.

To set the negotiation timeout value via the CLI: 

config vpn ipsec phase1-interface
    edit <Tunnel Name>   <----- Replace with the affected tunnel name.
        set negotiate-timeout 30
end