Description
This article describes when a user reports that the network is having slowness, intermittence, or disconnection for certain applications or general connections.
Scope
FortiGate.
Network Equipments.
Possibilities.
There are several possibilities that lead to this issue.
Some issue may not on the fortigate level itself.
| FortiGate |
Network Equipments |
- Policy Ipv4
- Security profile(antivirus, web filter, application control, etc)
- Routing
- HA
- Firmware upgrade
- etc
|
- Looping
- IP conflict
- Aggregation/LACP
- Routing
- Stacking
- Spanning tree
- etc
|
In some cases, the issue also happening after some changes on the network level.
Example:
- Adding new network equipment(Core switch, Distribution switch, etc).
- Stacking / LACP configuration on existing equipment.
- Changing physical interface. Uplink or from UTP to fiber.
- Gateway/routing changes.5) Upgrade firmware.
First, it is necessary to identify for any changes happening on any network equipment to focus on the specific equipments.
Solution
In any troubleshooting, the common way is to minimize any potential possibilities.
Here is some troubleshooting action can be done.
Troubleshoot Fortigate issue:
In this scenario, example will be IP 10.10.10.99(User PC).
PC IP : 10.10.10.99
Gateway : 10.10.10.1 (fortigate IP)
Diagram as follow:
Internet <<>> Fortigate 10.10.10.1 <<>> Core switch <<>> Switch <<>> AP <<>> PC 10.10.10.99
On FortiGate:
Create 1 new policy IPV4.
Source: 10.10.10.99
Destination: ALL
Security profiles: None
NAT : Enabled
This will eliminate issue related to security profiles. Antivirus, Web filter, application control, etc.
Without any changes to the network, test the application/service that having issue.
Then, apply 1 security profile at 1 time.
Example:
- Only enabled Antivirus profile.
- Only enabled Web filter profile.
- Then apply combination of the profile.
Run the test until the application stop working. From the result, fine tune the respective policies accordingly.
Troubleshoot network issue:
- Security profiles is not enabled on the policy IPv4 and everything is allowed. No traffic will be denied by the FortiGate.
- This test scenario will troubleshoot on the network level. Physical access to the network units is required.
From the PC, keep pinging 10.10.10.1(fortiGate IP) and 8.8.8.8 and run below test scenario.
For each scenario, test the problematic application/traffic accordingly.
- PC connect to FortiAP.
Internet <<>> Fortigate 10.10.10.1 <<>> Core switch <<>> Switch <<>> AP <<>> PC 10.10.10.99
- Policy IPV4 issue already eliminated.
- PC direct to Switch.
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> Switch <<>> PC 10.10.10.99
- This will eliminate issue of AP.
- PC direct to Core switch.
Internet <<>> FortiGate 10.10.10.1 <<>> Core switch <<>> PC 10.10.10.99
- This will eliminate issue of the Switch.
- PC direct to FortiGate
Internet <<>> Fortigate 10.10.10.1 <<>> PC 10.10.10.99
- This will eliminate issue of Core switch.
- PC direct to ISP.
Internet <<>> PC xx.xx.xx.xx
- This will eliminate issue of the Fortigate.
From this test, there is some finding and proceed with necessary troubleshooting.
Call Fortinet Support if requires help on the FortiGate level.
Related article:
Technical Tip: High availability intermittence issue
Troubleshooting Tip: LACP issue
