This article describes the FortiAP instability issue on FortiLANCloud. FortiAPs are stable to the Cloud for some time and then the connection is dropping.
This could be happening because there is an intermediate network element in the network between FortiAP and Cloud, which could be aggressively remapping DTLS sessions on different source ports, causing the DTLS IP/port session held by FortiAP to be lost and re-established frequently.
To overcome this kind of issue, the NAT session keep alive feature has been introduced, which will cause the FortiAP to send frequent keep-alive packets to the Cloud. This feature requires FortiAP v7.4.2 or higher.
Normally this issue is from users who use third-party firewalls like Sonic/Barracuda etc. behind FortiAPs and when source port remapping is enabled as there is a known issue.
FortiAP on FortiLANCloud portal.
Dynamic SNAT connection method on the firewall helps to make port mapping even more aggressive than the regular connection method.
Note:
It is highly recommended to contact the support team of third-party firewall to evaluate the impact of these changes before applying the settings.
The ‘Nat Session Keep-Alive” needs to be enabled and configured. For more info, refer to this document: NAT Session Keep Alive Timer
The links below are applicable for Sonic Firewall. Similar configs are available on other Firewalls as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.