FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to resolve a scenario where the FortiGate WAN Interface which is flapping or intermittently losing connectivity.
Scope
FortiGate.
Solution
Note:
The WAN interface flapping issue may be related to the ISP modem problem as well.
Check the physical interface status of the WAN interface on FortiGate. By running the following commands, it is possible to check the status of the interface and receive or transmit packets and drops on the WAN interface (in this case, 'wan1').
diag hardware deviceinfo nic wan1 diagnose netlink interface list wan1
fnsysctl ifconfig wan1
It is possible to run a continuous sniffer to check the traffic flow and ensure it is going out correctly. The command to take a sniffer is:
diagnose sniffer packet wan1 'host x.x.x.x' 4 0 l
Check if the FortiGate has high CPU or memory. A good command to see this info is 'get sys perf stat'.
It is possible to use the link-monitor to track if the WAN going down is ISP-related or not by configuring the ISP gateway to be pinged. If the link-monitor going to an IP on the internet fails, but the link-monitor going to the ISP gateway does not, it's probably an ISP issue.
Check if there is an ARP entry for the ISP modem by running: 'get sys arp | grep x.x.x.x'.
If there is no entry, it is possible to confirm there is no ARP response by running: 'diagnose sniffer packet wan1 'arp' 4 0 l'.
Try to hardcode the speed and duplex of FortiGate and the modem:
config system interface edit wan set speed 100full / 1000full / auto end
It is possible to isolate the issue by connecting a PC directly to the WAN interface, assigning the IP to the interface, and then starting a constant ping and see if the interface flips again.
In some network environments, VLAN (802.1Q) tagging may be enabled on the upstream router provided by the ISP. This can result in a VLAN mismatch if the FortiGate's WAN interface is not configured to match the tagged VLAN ID. To determine whether tagged traffic is being received on the WAN interface, use the following diagnostic command:
diagnose sniffer packet wan1 '' 4 0 a
If the output indicates the presence of a VLAN ID (e.g., 802.1Q vlan#X), it is necessary to configure a subinterface on the FortiGate with the corresponding VLAN ID to ensure proper traffic handling.
