Description
This article describes how to increase the memory buffer for processing IP fragment packets on FortiGate to avoid drops due to 'ReasmFails' owing to a memory buffer overflow in environments where a large number of fragments are expected to arrive on FortiGate.
Scope
FortiGate v7.0.8 , v7.2.4 onwards
Solution
By default, FortiGate is set up with a 32M memory threshold for processing/re-assembling IP fragments. In the event of a large number of fragments arriving on FortiGate, this could lead to drops if the memory buffer is not sufficient.
'ReasmFails' increasing at a rapid rate could be suggestive of such drops:
# diagnose snmp ip frags
ReasmTimeout = ## Timeout before reassemble packets (15s) ##
ReasmReqds = ## number of fragment packets received ##
ReasmFails = ## reassembly process failed for a fragmented packet ##
From v7.0.8 (on 7.0 FortiOS line) and v7.2.4 (on 7.2 FortiOS line), this memory buffer can now be manually configured as below:
# config sys global
set ip-fragment-mem-thresholds ?
Enter an integer value from <32> to <2047> (default = <32>).
end
