Very high latency between lan and dmz on VM64 (multiple vdoms, multiple emac vlans)

Question

Hi! We have a pair of Fortigate VM64 in HA on VMware (provider is OVH).

We are migrating clients from PaloAlto to this Fortigate.

We have around 30 VDOM (and we need to add more), with VDL link to the root.

We have EMAC VLANS for the interface (WAN, Private and DMZ).

It is working, but when the sessions increase around 30K and higher, everything become very slow.

The ping between private and dmz inside any vdom increase around 100-150ms with lost packets.

The CPU is used max 20%, and the memory around 60%.

We have a ticket with Fortinet, but for them , with a packet capture, there were able to show that the fortigate don't add any latency in the packets.

We move back one of the client to PaloAlto and they are now happy!

The PaloAlto use the same VMware farm.

To be able to make the EMAC VLAN and VDL work, we needed to enable the promicious mode on the port group on VMware. Maybe this is the problem.

The links are 10GBs, and the traffic on the trunk that contains the private and dmz don't even go higher than 2.5Gbs.

If someone has an idea what could be the problem...

thank you

Eric72 · Accepted Answer

We found that the problems came from not enough resources. Too much cpu ready.We move the firewall alone on a vsphere host and there's no more problem.

Anthony_E · Answer

Hello Eric, Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. Thanks,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded