Description
This article describes the FortiAP instability issue on FortiLANCloud. FortiAPs are stable in the Cloud for some time and then the connection drops.
This could be happening because there is an intermediate network element in the network between FortiAP and Cloud, which could be aggressively remapping DTLS sessions on different source ports, causing the DTLS IP/port session held by FortiAP to be lost and re-established frequently.
To overcome this kind of issue, the NAT session keep alive feature has been introduced, which will cause the FortiAP to send frequent keep-alive packets to the Cloud. This feature requires FortiAP v7.4.2 or higher.
Normally this issue is from users who use third-party firewalls like Sonic/Barracuda etc. behind FortiAPs and when source port remapping is enabled as there is a known issue.
Scope
FortiAP on FortiLANCloud portal.
Solution
- Changes that need to be done on the 3rd-party firewall:
Dynamic SNAT connection method on the firewall helps to make port mapping even more aggressive than the regular connection method.
Note:
It is highly recommended to contact the support team of the third-party firewall to evaluate the impact of these changes before applying the settings.
- Changes that need to be done on FortiLANCLoud config to support the changes done on the Firewall to address AP keep-alive issues.
The ‘Nat Session Keep-Alive” needs to be enabled and configured. For more info, refer to this document: NAT Session Keep Alive Timer.
The links below are applicable for Sonic Firewall. Similar configs are available on other Firewalls as well.
Sonicwall has always affected voip equipment | Port filtration and Device Timeouts
How do I exclude traffic from firewall security services?
Troubleshooting a scenario where Source remap is causing the VOIP issues
