Skip to main content
naltor
naltor
New Member
August 26, 2015
Question

UDP traffic works TCP doesn´t....

  • August 26, 2015
  • 4 replies
  • 7965 views

Hi there,

I have a problem with TCP traffic. I have only one rule: permit any any. When I try to send UDP traffic through the firewall everything is fine. 4mbps of UDP traffic ends with a result of 4mbps inbound/outbound.

The problem appears with TCP traffic. If I try to send 4mbps of TCP traffic I get in the source interface 110 kbps-inbound and 2.3mbps traffic-out, which doesn't make sense to me...

I´m monitoring the traffic in the firewall port where the traffic comes from...

I have others firewalls with same config and same firmware v5.0.6 and everything works fine...

I have no errors in the traffic flow, the session is stablished and the firewall policy allows the traffic...

Any idea?

Thanks

    4 replies

    gschmitt
    gschmitt
    New Member
    August 26, 2015

    Do you have any policy routes as Router > Static > Policy routes?

    Since you said "any" I assume you have had the device for a longer time and kept updating it (since it's called ALL now)

    Check your any object at Policy&Objects > Objects > Services

    Is it set to Protocol Type: IP

    Protocol Number: 0

    ?

     

    naltor
    naltorAuthor
    New Member
    August 26, 2015

    Hi gschmitt!!

    Yes, everything is ok with the config. I checked this out and everything is fine...

    diagnose debug flow filter daddr x.x.x.x

    diag debug flow show console enable

    diag debug flow show function-name enable

    diag debug flow trace start 100

    diag debug enable

     

    I´m thinking about hardware problems... There is no errors in the interfaces... So weird... First time this happened to me...

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    August 26, 2015

    hi,

     

    from the traffic history plot it looks like the FGT is applying UTM in proxy mode - there is a short delay between incoming and outgoing traffic. I assume traffic is not lost - you would have mentioned. You can test this e.g. with an FTP transfer.

     

    Could you please post the policy in the CLI ("config firewall policy", "show full")?

     

    Another topic is the version of FortiOS you are using. Get away from v5.0.6 as soon as possible. For one, it's vulnerable to the SSL bug. The current version/patch is v5.0.12. Read the Release Notes and follow the upgrade path (upgrade to v5.0.10 first IIRC). It might well be that the situation clears up after the upgrade.

    naltor
    naltorAuthor
    New Member
    August 26, 2015

    Hi ede_pfau,

     

    I don´t have access to the firewall right now but there isn´t any UTM profile configured in this policy. I checked this...

     

    I agree about the Firmware version, but it isn´t related to this issue because we have others firewalls with same config/firmware working properly... :)

     

    Thanks!!

    emnoc
    emnoc
    New Member
    August 26, 2015

    IMHO your wasting your time trying to compare  performance of UDP vrs TCP, you have so many variable that you have to  think about and none have anything todo with the firewall imho

     

    e.g ( just a few )

     

     

     >MSS

     >SYN /SYN-ACK delay

     > segment ACK

     > tcp window buffer

     > SACK  or non-SACK

     > tcp large window-scale

     > window/unix/linux/etc...

    etc....

     

    No way would I try to compare the performance of  UDP vrs TCP ( layer4  ) , you have so many variable that would make big  difference in many case. Btw all of the above variable listed above doesn't apply to UDP, hence this is why UDP is always faster than TCP. repeat a transfer with  UDP will always be faster than any positive acknowledgement  delivery.

     

    Hey Ede, I'm trying to find a good bier in Amsterdam , Prost.

     

    ken

     

    naltor
    naltorAuthor
    New Member
    September 10, 2015

    Hi guys,

     

    It wasn´t Fortigate fault... The network traffic generator wasn´t working properly!! 

     

    Thanks!!

    Terms & ConditionsAccessibility statement