Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎03-08-2023 03:10 AM Edited on ‎09-30-2024 12:59 AM By Community Manager

Article Id 248435

Technical Tip: How to increase memory buffer for processing fragment packets

Description

 

This article describes how to increase the memory buffer for processing IP fragment packets on FortiGate to avoid drops due to 'ReasmFails' owing to a memory buffer overflow in environments where a large number of fragments are expected to arrive on FortiGate.

 

Scope

 

FortiGate v7.0.8 , v7.2.4 onwards.

 

Solution


By default, FortiGate is set up with a 32M memory threshold for processing/re-assembling IP fragments. In the event of a large number of fragments arriving on FortiGate, this could lead to drops if the memory buffer is not sufficient.

 

'ReasmFails' increasing at a rapid rate could be suggestive of such drops:

 

diagnose snmp ip frags
ReasmTimeout = ## Timeout before reassemble packets (15s) ##
ReasmReqds = ## number of fragment packets received. FGT adds 1 to the counter for each fragment received, if it is split into 3 packets then add 3 ##
ReasmFails = ## reassembly process failed for a fragmented packet ##

 

Note:

It is possible to track these using below SNMP  OID's as well :

 

IP-MIB:ip.ipReasmTimeout 1.3.6.1.2.1.4.13
IP-MIB:ip.ipReasmReqds 1.3.6.1.2.1.4.14
IP-MIB:ip.ipReasmOKs 1.3.6.1.2.1.4.15
IP-MIB:ip.ipReasmFails 1.3.6.1.2.1.4.16

 

From v7.0.8 (on 7.0 FortiOS line) and v7.2.4 (on 7.2 FortiOS line), this memory buffer can now be manually configured as below:

 

config sys global
    set ip-fragment-mem-thresholds ? --> Enter an integer value from <32> to <2047> (default = <32>).

end

 

It is also possible to monitor how much memory the kernel is using to store IPv4 fragments and the number of fragments stored in the buffer with the below command:

 

fnsysctl cat /proc/net/sockstat
sockets: used 1028
..
FRAG: inuse 6280 memory 23411840

 

Memory is measured in bytes.

 

Apart from the above, the below methods can be considered as a controlled measure in situations where the memory is failing even after managing the above threshold.
 
  • For IPSEC, consider using pre-encapsulation fragmentation as below.
 
config vpn ipsec phase1-interface
    edit <name>
        set ip-fragmentation pre-encapsulation
 
  • If needed, consider disabling the honoring of DF bits.
 
config system global
  set honor-df disable
end
2518
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.