Description
This article describes when a user reports that the network is having slowness, intermittence, or disconnection for certain applications or general connections.
Scope
FortiGate, Network Equipment.
Possibilities:
There are several possibilities that lead to this issue. Some issues may not be on the FortiGate level itself.
| FortiGate |
Network Equipment |
- Policy Ipv4
- Security profile(antivirus, web filter, application control, etc)
- Routing
- HA
- Firmware upgrade
- etc
|
- Looping
- IP conflict
- Aggregation/LACP
- Routing
- Stacking
- Spanning tree
- etc
|
In some cases, the issue also happens after some changes on the network level.
Example:
- Adding new network equipment(Core switch, Distribution switch, etc).
- Stacking / LACP configuration on existing equipment.
- Changing physical interface. Uplink or from UTP to fiber.
- Gateway/routing changes.5) Upgrade firmware.
It is necessary to identify any changes happening on any network equipment to focus on the specific equipment.
Solution
In any troubleshooting, the common way is to minimize any potential possibilities.
Here are some troubleshooting actions that can be done.
Troubleshoot FortiGate issue:
In this scenario, an example will be IP 10.10.10.99(User PC).
PC IP : 10.10.10.99
Gateway : 10.10.10.1 (fortigate IP)
The diagram is as follows:
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> Switch <<>> AP <<>> PC 10.10.10.99.
On FortiGate:
To check the routing table run the following commands
get router info routing-table all <---- Check Firewall Routing table.
get router info routing-table details 10.10.10.99 <----- Check the Routing table for the PC.
Verify reachability between the PC IP 10.10.10.99 and the Gateway IP 10.10.10.1 by enabling the ping service for the Gateway IP (Firewall Interface).
Create 1 new policy IPV4.
Source: 10.10.10.99
Destination: ALL
Security profiles: None
NAT : Enabled
This will eliminate issues related to security profiles. Antivirus, Web filter, application control, etc. Without any changes to the network, test the application/service that is having an issue.
Apply 1 security profile at 1 time.
Example:
- Only enabled the Antivirus profile.
- Only enabled the Web filter profile.
- Then apply the combination of the profile.
Run the test until the application stops working. From the result, fine-tune the respective policies accordingly.
Troubleshoot network issues:
- Security profiles are not enabled on the policy IPv4, and everything is allowed. No traffic will be denied by the FortiGate.
- This test scenario will troubleshoot on the network level. Physical access to the network units is required.
From the PC, keep pinging 10.10.10.1 (FortiGate IP) and 8.8.8.8 and run the below test scenario.
For each scenario, test the problematic application/traffic accordingly.
- PC connects to FortiAP.
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> Switch <<>> AP <<>> PC 10.10.10.99.
- Policy IPV4 issue has already been eliminated.
- PC direct to Switch.
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> Switch <<>> PC 10.10.10.99.
- This will eliminate the issue of AP.
- PC directly to the Core switch.
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> PC 10.10.10.99.
- This will eliminate the issue of the Switch.
- PC directly to FortiGate:
Internet <<>> FortiGate 10.10.10.1 <<>> PC 10.10.10.99.
- This will eliminate the issue of the Core switch.
- PC directly to ISP.
Internet <<>> PC xx.xx.xx.xx.
- This will eliminate the issue with the FortiGate.
From this test, there are some findings, and proceed with necessary troubleshooting. Call Fortinet Support to get help on the FortiGate level.
Related articles:
Technical Tip: High availability intermittence issue
Troubleshooting Tip: LACP issue
