When traffic goes through the FortiGate firewall 10 Gig to 1 Gig interface, there is a reduction of performance for TCP and IP tunnel traffic. This happens due to NP6 internal packet buffer limitations and it starts dropping packets causing low throughput or speed issues.

To troubleshoot this issue, the below steps can be followed:

• Firstly, it is required to confirm if the speed issue is happening in both directions or just one direction. If the issue is happening in both directions then the cause of the speed issue is other than NP6 buffer overflow. Because in 10 GIG to 1 Gig issue, the issue would be in one way, when traffic going from 10 Gig to 1 Gig no other way around.
• Run the command, fnsysctl cat /proc/net/np6_0/gige-stats multiple times and if there is a drop happening due to NP6 buffer overflow, counter TX_XPX_QFULL will increase.
  
  

fnsysctl cat /proc/net/np6_0/gige-stats

Counters        port1|GIGE13    port2|GIGE12    port3|GIGE15    port4|GIGE14   

--------------- --------------- --------------- --------------- ---------------

RX_BCAST        117911086       54763           0               2523089        

RX_MCAST        8088626         3796404         0               3583795        

RX_UCAST        55665209423     96261650031     0               20620645319    

RX_PAUSEFRM     0               0               0               0              

RX_UNDERSIZE    0               0               0               0              

RX_OVERSIZEP    0               0               0               0              

RX_FRAG         0               0               0               0              

RX_JAB          0               0               0               0              

RX_FCS          0               0               0               0              

RX_WFULL        0               0               0               0              

RX_GOODOCTET    29435163197753  112337104297119 0               9635743168321  

RX_OCTET        29435163197753  112337104297119 0               9635743168321  

--------------- --------------- --------------- --------------- ---------------

TX_BCAST        1183256         205             0               36244          

TX_MCAST        0               880915          0               594670         

TX_UCAST        88854596759     60901933775     0               30373481385    

TX_COL          0               0               0               0               

TX_LATECOL      0               0               0               0              

TX_EXCESSCOL    0               0               0               0              

TX_UNDERRUN     0               0               0               0              

TX_XPX_QFULL    138541108       4332260         0               58532          

TX_GOODOCTET    98534854623400  28965451430488  0               34584155388673 

TX_OCTET        98534854623400  28965451430488  0               34584155388673

• Once confirmed that packet loss is happening, the below command can be run to stop offloading TCP packets from the 10 Gig to 1 Gig interface:

config system npu

    set host-shortcut-mode host-shortcut

end

• In most cases, the above command would work. However, in certain scenarios or traffic conditions, traffic drops are still observed.
  In that, it is necessary to forward traffic from a 10 Gig to a 10 Gig interface and if the FortiGate model does not have any 10 Gig interface available, it is necessary to configure VLANs under a specific 10 Gig interface and use that VLAN interface as WAN and LAN.