Staff

Troubleshooting Tip: Understanding the difference between 'TX dropped' and 'Host Tx dropped'

Forum|Forum|1 year ago
April 29, 2025
0 replies
962 views

Description

This article explain what is the different between 'TX dropped' and 'Host Tx dropped'.

Scope

FortiGate.

Solution

Using the diagnose command:

fnsysctl ifconfig <physical port>

Example:

fnsysctl ifconfig internal6

internal6 Link encap:Ethernet HWaddr 00:09:0F:09:00:07

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

RX packets:450707 errors:0 dropped:0 overruns:0 frame:0

TX packets:443318 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:187031063 (178.4 MB) TX bytes:185751500 (177.1 MB)

The diagnose command will show the following:

RX packets:450707 errors:0 dropped:0 overruns:0 frame:0

TX packets:443318 errors:0 dropped:0 overruns:0 carrier:0

The dropped counters mean the following:

RX dropped: Packets received by hardware but dropped before reaching the software (kernel).
TX dropped: Packets given to the NIC driver for transmission but the driver rejected them (e.g., queue full, or transmission error at the kernel level).

In this case:

RX dropped:0

TX dropped:0

The Linux kernel sees no drops at its level.

Using the diagnose command:

diagnose hardware deviceinfo nic internal5 -> (hardware/NP view)

Description :FortiASIC NP6XLITE Adapter

Driver Name :FortiASIC NP6XLITE Driver

Board :80F

lif id :6

lif oid :70

netdev oid :70

Current_HWaddr 00:09:0f:09:00:06

Permanent_HWaddr 84:39:8f:8f:db:b2

========== Link Status ==========

Admin :up

netdev status :up

autonego_setting :1

link_setting :1

speed_setting :1000

duplex_setting :0

Speed :1000

Duplex :Full

link_status :Up

============ Counters ===========

Rx Pkts :862330

Rx Bytes :386938003

Tx Pkts :1585124

Tx Bytes :940579100

Host Rx Pkts :862330

Host Rx Bytes :374865383

Host Tx Pkts :1618269

Host Tx Bytes :959685488

Host Tx dropped :33145

FragTxCreate :0

FragTxOk :0

FragTxDrop :0

np_rx_pkts :862330

np_rx_bytes :390387323

np_rx_mc_pkts :0

np_rx_bc_pkts :478784

np_tx_pkts :1585124

np_tx_bytes :946948018

np_tx_mc_pkts :0

np_tx_bc_pkts :471745

Diagnose command is querying the hardware (FortiASIC NP6XLITE) counters at a lower level inside the FortiGate, not the Linux kernel.

Host Tx dropped means:

Packets generated by the FortiGate CPU (host) intended to be transmitted through the NP6 hardware, but the NP6 dropped them.

Possible reasons include:

NP6 internal congestion (resource exhaustion).
NP6 queue full.
Invalid packets (e.g., incorrect checksum, internal processing error).
Traffic shaping or flow control triggered.

In this example:

Host Tx dropped: 33145

The hardware (NP6XLITE) dropped 33,145 packets that the FortiGate host (main CPU) tried to send.

Summary of difference:

fnsysctl ifconfig dropped:

Layer: Linux Kernel network stack.
Context: OS-level driver drop.
Significance: Kernel unable to process.

Host Tx dropped (deviceinfo):

Layer: FortiGate Hardware (ASIC/NP6)
Context: Hardware-level (NP6 engine) drop
Significance: Hardware dropped outgoing packets

Notes:

Even if the kernel (ifconfig) reports no drops, the hardware (NP) may be dropping.

This could impact real traffic (e.g., sessions lost, retransmissions, performance degradation).

Especially important under heavy load, high session rate, bandwidth saturation, or suboptimal NP6 offload tuning.

Recommendations:

Check if CPU usage is high (get system performance top, diagnose sys top).

Check session counts (diagnose sys session stat).

Check if NP6 is overloaded (diagnose npu np6lite stat or diagnose npu np6lite port-stat).

Analyze traffic patterns (e.g., bursty traffic, lots of small packets).

Review offload settings (ensure traffic is properly accelerated by NP6 when possible).

In extreme cases: firmware updates (some FortiOS versions improve NP6 behavior), or traffic engineering.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded