|
The main trigger of this issue is when the traffic shaping policy is applied to the client traffic on NP7lite devices.
Below is a basic example configuration of the traffic shaper and traffic shaping policy.
config firewall shaper traffic-shaper
edit "test"
set max-bandwidth 50000
next
end
config firewall shaping-policy
edit 1
set name "Internet Shaper"
set service "ALL"
set srcintf "LAN"
set dstintf "WAN"
set traffic-shaper "test"
set traffic-shaper-reverse "test"
set srcaddr "all"
set dstaddr "all"
next
end
Key symptoms :
- On client testing, it will show a ping result with 40% loss.
C:\Users\test>ping 10.75.84.2 -t
Pinging 10.75.84.2 with 32 bytes of data:
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Request timed out.
Request timed out.
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Request timed out.
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Request timed out.
Request timed out.
Request timed out.
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Reply from 10.75.84.2: bytes=32 time<1ms TTL=254
Ping statistics for 10.75.84.2:
Packets: Sent = 15, Received = 9, Lost = 6 (40% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
- The NP7lite dce-eng-drop statistics will indicate an increase in the DCE_IVS_IGR_DIR_DROP count when the shaping policy is enabled, regardless of whether the monitor shaper, per-IP shaper, or traffic shaper is referenced in the shaping policy.
FG121G_Master # diagnose npu np7lite dce-eng-drop 0 0
141 DCE_IVS_IGR_DIR_DROP 585
Repeat the command after a short period of time.
FG121G_Master # diagnose npu np7lite dce-eng-drop 0 0
141 DCE_IVS_IGR_DIR_DROP 586
- Using the command diagnose npu np7lite dce-drop-all 0 verbose, it will show a significant number of drop counters on the TPE module.
Example output :
Workaround:
Disable the shaping-policy with the command 'set status disable':
config firewall shaping-policy
edit 1
set status disable
next
end
This issue will be planned to be fixed on firmware v7.6.4 and the upcoming v7.4 patch.
General debug information required by FortiGate TAC for investigation:
- FortiGate Configuration File.
- Open a new CLI window and save the output of the following command:
execute tac report
- Open a new CLI window and collect NP7lite statistics:
diagnose npu np7lite hif-stats
diagnose npu np7lite dce-drop-all 0 verbose
diagnose npu np7lite pba 0
diagnose npu np7lite sse-stats 0
diagnose npu np7lite dsw-qtbl-stats 0 verbose
diagnose npu np7lite dce-eng-drop all
diagnose npu np7lite dce-dsw-drop all
diagnose npu np7lite dce-eng-stats ll
fnsysctl cat /proc/net/np7lite/qtm
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-stats
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-que
fnsysctl cat /proc/net/np7lite/tpe
4. Open a new CLI window and attempt to trace the session for the end user traffic.
diagnose system session filter src 192.168.1.100
diagnose system session filter dst 10.75.84.2
diagnose system session list
5. Ping test results.
|
