Troubleshooting Tip: Packet loss for data traffic when ASIC Offloading and Ingress Shaping are enabled on SOC5 FortiGate platforms

Description

This article outlines an issue where packet loss may occur for data traffic on FortiGate devices equipped with SOC5 ASICs when ASIC offloading is enabled alongside an ingress shaping profile.

Scope

FortiGate models using SOC5 ASIC (e.g., FortiGate 120G).

Solution

This issue is tracked by internal issue ID 1256278 and is reported for FortiGate with S0C5 hardware, such as 50G, 70G, 90G, 120G and with ASIC version SOC5. Affected traffic is data traffic passing through the FortiGate, not local traffic destined to the FortiGate itself.

ASIC version can be identified with the 'get hardware status' command or reviewed in NP7Lite section of the Hardware Acceleration document: FortiGate NP7Lite architectures document.

To confirm the issue, run 'diagnose npu np7lite dce-drop-all 0' multiple times during the issue and observe DCE_QTM_ENQ_DROP counters incrementing.

diagnose npu np7lite dce-drop-all 0
305 DCE_QTM_ENQ_DROP 1203245 +

Workaround:

Disable 'auto-asic-offload' in the firewall policy or remove shaping profile on the interface, see Traffic Shaping. To disable hardware offload on the firewall policy:

config firewall policy
    edit <index>
        set auto-asic-offload disable
    next
end

Resolution:

The issue is resolved in FortiOS v7.6.4, 8.0.0, and in upcoming FortiOS releases v7.4.12.

A similar issue could occur on earlier firmware versions for any traffic handled by traffic shaper, see Technical Tip: End User traffic may be dropped on FortiGate when Traffic Shaping Policy is enabled on NP7lite devices.