Description
This article describes how to mitigate the issue for FortiAP-C24JE that restarts after a few MB data downloads on Tunnel SSID.
Scope
For FortiAP-C24JE - v5.4-build0229.
Solution
1) The issue can be observed when the data channel dtls-policy is set to 'ipsec-vpn' in the FortiAP profile and due to encryption overhead it may create a performance bottleneck on FortiAP-C24JE for Internet traffic:
data-chan-sec : ipsec-vpn
2) For testing, change 'dtls-policy' to 'clear-text' in the FortiAP profile and then check if the issue is reproducible:
# config wireless-controller wtp-profile
edit "FortiAP-profile-name"
set dtls-policy clear-text|dtls-enabled|ipsec-vpn
next
end
Of the three settings, clear-text has the highest possible data throughput.
3) Verify if the issue is reproducible on 'clear-text' dtls-policy. If the FortiAP does not reboot then that confirms ipsec-vpn encryption overhead is the cause for the FortiAP reboot issue.
4) Enable 'dtls-in-kernel' also in the FortiAP profile and test FortiAP reboot and data-rate behaviour.
When dtls-in-kernel is enabled, the FortiAP OS kernel processes the traffic encryption and decryption, which can provide better throughput performance.
DTLS encryption cannot be hardware-accelerated on the FortiGate so when DTLS is enabled, data throughput performance is significantly lower than clear-text:
# config wireless-controller wtp-profile
edit "FortiAP-profile-name"
set dtls-policy dtls-enabled
set dtls-in-kernel enable
next
end
5) Use 'ipsec-vpn' if the FortiGates model supports NP6 chips.
FortiGates with NP6 chips can offload CAPWAP data traffic in IPsec, so this encryption option has better throughput performance than DTLS.
Because there is no built-in hardware acceleration chip, the FortiAP is considered the performance bottleneck in this scenario.
Related document:
https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/daf31b55-67cc-11ea-9384-005056...
