Troubleshooting Tip: How to fix the DP Channel Hung state in 6000F Firewall

Description

This article describes steps to isolate and resolve the DP channel Hung state situation in FortiGate 6000F Firewall.

Scope

FortiGate 6000F.

Solution

In certain rare scenarios, FortiGate 6000F may experience a DP channel hung condition, resulting in:

• Traffic disruption or intermittent packet drops.

• Sessions are not being processed correctly.

• New sessions may fail to establish.

The FortiGate 6000F can support 6 to 10 FPCs (Fortinet Processor Cards), depending on the purchased perpetual license. Each FPC processes its own sessions independently, and sessions are not synchronized between FPCs within the same chassis.

The Data Plane (DP3) load balancer is responsible for distributing traffic received on the front-panel interfaces across the available FPCs through the Internal Switch Fabric (ISF).

Each DP supports up to 24 DP channels/ports. If any of these channels enter a hung or unresponsive state, it will stop forwarding traffic to the associated FPC. As a result, traffic mapped to that specific channel is dropped, which may lead to intermittent packet loss and performance degradation.

Packet captures in such scenarios typically show that traffic is received on the ingress interface, but no corresponding packets are observed on the egress interface, indicating that the drop is occurring within the internal forwarding path.

Users can verify this condition by running the following command (enter this command multiple times):

diagnose load-balance dp show stats channel 

If the 'RX Discard' counter is incrementing, it indicates that traffic is being received by the DP channel but not forwarded, which is a strong indication that the channel is in a hung state.

Additional commands can also be collected as part of the investigation.

config global
diagnose load-balance status
diagnose load-balance set slot current
diagnose load-balance dp show register global detail
diagnose load-balance dp show register channel detail
diagnose load-balance dp focus-port all
diagnose load-balance dp show stats session all

Firewall will also log the following entry in the system event logs (Sample log showing DP channel/port 15 is in a hung state).

itime=1769931609 date="2026-02-01" time="11:38:35" devid="F6KF31T0XXXXXXXXX" vd="mgmt-vdom" type="event" subtype="system" bid=564245037 devname="Firewall1" dstepid=3 dsteuid=3 dvid=1169 epid=3 euid=3 eventtime=1769931514735735704 id=7601798376811677050 level="warning" logdesc="DP channel hung detected." logid="0100053405" logver=702111740 msg="DP channel 15 possible hung!" slot=0 tz="+0400"

itime=1769931309 date="2026-02-01" time="11:33:24" devid="F6KF31T0XXXXXXXXX" vd="mgmt-vdom" type="event" subtype="system" bid=564243138 devname="Firewall1" dstepid=3 dsteuid=3 dvid=1169 epid=3 euid=3 eventtime=1769931204425669966 id=7601797088321483856 level="warning" logdesc="DP channel hung detected." logid="0100053405" logver=702111740 msg="DP channel 15 possible hung!" slot=0 tz="+0400"

Workaround:

If the units are configured in High Availability (HA):

1. Perform a manual failover to shift traffic to the secondary unit.

2. Reboot the affected primary device to restore DP channel functionality.

This approach helps minimize service disruption while recovering the impacted unit.

Note:

If the issue persists or recurs, it is recommended to contact Fortinet TAC Support for further assistance. The TAC team can help run advanced diagnostics to identify the affected DP channel and, if required, isolate the faulty DP channel from traffic processing to prevent further impact.