|
Verify what kind of traffic is dropping: check whether it is internal or external.
If the internal traffic is getting dropped, make sure that the FortiGate can reach the device; if FortiGate fails, it is required to investigate the very next hop.
If external traffic is getting dropped, follow the following steps to identify the cause.
Step 1: Verify whether FortiGate has internet or not, by pinging the gateway of the WAN interface and any external IPs
- Access the FortiGate CLI.
- Use the command: 'execute ping 8.8.8.8'.
- If it receives replies, the FortiGate can reach the internet.
If Traffic fails to follow Step 2, move forward to Step 3.
Step 2: If no replies, it might be that the FortiGate does not have the ARP entry of the WAN, and if it does then the issue is with the ISP end or the wrong gateway set on the firewall: Troubleshooting Tip: Internet connectivity issue resolution on a FortiGate unit
If the issue is intermittent and it is not possible to capture this information while it is happening, it is possible to capture more information by setting up either a link-monitor or a Performance SLA if in SD-WAN.
When using either method, it would allow the FortiGate to ping a certain destination and generate a message in the log when it fails.
If using this to troubleshoot an internal connection, it's possible to ping directly to the connected switch and a device connected to that switch to ensure the connection between the FortiGate and the switch is stable.
If the ping to the switch is fine, but the ping to the device fails, it's probably an issue with that device or the switch.
If using this to troubleshoot an external connection, it's recommended to make a link-monitor or Performance SLA for both the ISP gateway and a destination on the internet, like Google DNS.
If the ping to the ISP gateway is fine, but the ping to the internet fails, it is probably an ISP issue.
Here is how to set this up when not using SDWAN (link-monitor):
Technical Tip: Link-Monitor Explained - Fortinet Community
Here is how to set this up when using SDWAN (Performance SLA):
Performance SLA | FortiGate / FortiOS 7.6.2 | Fortinet Document Library
Step 3: If FortiGate has internet, verify the packet flow by following logs and confirm whether the traffic is going out from the correct interface and the correct policy: How to collect debug to confirm traffic flow
Note:
Make sure traffic originates from the source machine behind the firewall, and the destination should be defined in the debug.
Step 4: If traffic is allowed from the firewall on the correct interface and policy. Collect the session table for the source and destination.
Here are the commands to confirm:
diagnose sys session filter clear
diagnose sys session filter src x.x.x.x
diagnose sys session filter dst y.y.y.y
diagnose sys session list
After this, confirm if there is any traffic shaping applied to the session, and follow step 5 to confirm if traffic is dropping due to Traffic shaping or not.
The following is an example: Troubleshooting Tip: Traffic shaping
Step 5: If traffic shaping is configured, see Technical Tip: Important Changes to Traffic Shaping on FortiGate with NP7 Queuing-Based Traffic Mana...
Troubleshooting: Troubleshooting Tip: How to check packet drop by traffic shaper in NP6, NP6xlite and NP6lite unit
Step 6: Remove the Traffic shaping. If traffic then starts working, it confirms that the behavior matched with what was described in the article above. Apply the changes mentioned in the same article.
Step 7: If the DoS Policy is configured, verify if it is causing the issue. Troubleshooting: Technical Tip: Identifying packet drops caused by DOS Policy
If all of the above steps fail to determine the issue, collect all necessary logs mentioned in the above articles and create a case with TAC for further troubleshooting.
|
