Description |
This article describes a known issue that can occur on FortiGates when available system memory is low. Since the issue is triggered by the FortiGate running low on available memory, the issue can be more likely to occur on smaller-sized FortiGates since they have less memory available (e.g. FortiGate-40F, 60F, etc.).
For reference, this issue is tracked as part of Known Issue #1025114. |
Scope | FortiOS v7.0, 7.2, 7.4 and 7.6. |
Solution |
Symptoms: The following are some general symptoms that are known to be related to this issue:
Example:
Example: Run Time: 66 days, 17 hours and 24 minutes
Additionally, some users have reported additional issues that are derived from the above symptoms:
Explanation: When the FortiGate's free/available memory is low, it's been observed that important data can become paged out to disk (i.e. there is not enough room in memory for everything being asked for, so the disk is used as an overflow/swap space to hold this excess data).
The problem is that this data is still being used by the process that needs it, but now the data must be accessed from the substantially slower disk storage, rather than system memory. While the process is waiting to access its data, it will be placed in the D state to indicate that it is waiting for the system to process the data. At the same time, iowait CPU usage will increase to reflect the fact that processes are spending significant time waiting for I/O operations to complete before they can resume their work.
Ultimately, the root issue here is that of free memory. If the FortiGate's available free memory becomes too low then it can trigger this memory paging-to-disk behavior (which is necessary for the system to avoid crashing/freezing due to lack of memory), and that can lead to the symptoms described above.
Resolution: To be clear, the issues described above are triggered when the FortiGate has insufficient free memory. Resolving that issue would require either increasing system memory resources (option for VMs but not hardware FortiGates) or reducing memory usage to allow for more free buffer space.
With that being said, improvements are being made to better handle this situation. Notably, the IPS Engine will be updated as part of FortiOS 7.0.16, 7.2.11, 7.4.6, and 7.6.1 so that critical data is much less likely to be paged out from memory. This will help to prevent the IPS Engine from entering the D state during memory-constrained scenarios and should reduce/remove impacts to user traffic when the IPS Engine is scanning traffic (IPS, App Control, flow-based inspection policies, etc.).
Besides that, the general suggestion here is to try and reduce memory usage on smaller FortiGate models where possible. Refer to the following KB articles for further guidance on this matter: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.