FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
rm
Staff
Staff
Article Id 329345
Description

 

This article describes the FortiAP instability issue on FortiLANCloud. FortiAPs are stable to the Cloud for some time and then the connection is dropping.

This could be happening because there is an intermediate network element in the network between FortiAP and Cloud, which could be aggressively remapping DTLS sessions on different source ports, causing the DTLS IP/port session held by FortiAP to be lost and re-established frequently.

To overcome this kind of issue, the NAT session keep alive feature has been introduced, which will cause the FortiAP to send frequent keep-alive packets to the Cloud. This feature requires FortiAP v7.4.2 or higher.

Normally this issue is from users who use third-party firewalls like Sonic/Barracuda etc. behind FortiAPs and when source port remapping is enabled as there is a known issue. 

 

Scope

 

FortiAP on FortiLANCloud portal.

 

Solution

 

  • Changes that need to be done on the 3rd-party firewall:

 

source_port_remapping.png

 

Dynamic SNAT connection method on the firewall helps to make port mapping even more aggressive than the regular connection method.

 

Note:

It is highly recommended to contact the support team of third-party firewall to evaluate the impact of these changes before applying the settings.

 

  • Changes that need to be done on FortiLANCLoud config to support the changes done on the Firewall to address AP keep-alive issues.

 

cloud_nat.png

 

The ‘Nat Session Keep-Alive” needs to be enabled and configured. For more info, refer to this document: NAT Session Keep Alive Timer

 

The links below are applicable for Sonic Firewall. Similar configs are available on other Firewalls as well.

https://community.sonicwall.com/technology-and-support/discussion/2135/sonicwall-has-always-affected...

https://www.sonicwall.com/support/knowledge-base/how-do-i-exclude-traffic-from-firewall-security-ser...

https://www.sonicwall.com/support/knowledge-base/troubleshooting-a-scenario-where-source-remap-is-ca...

Contributors