FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 274637
Description This article discusses a specific packet loss condition triggered when the CPUs of a device are not able to process the volume of incoming traffic from the network adapter (NPU: network Processor unit).
Scope NP7 versus NP6.

When this happens, the CPU will reach a very high percentage in the softirq category as printed below:


get system performance status
CPUx states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 90% softirq


However, this command displays the real-time status of the CPUs, and a transient condition might no longer be visible by using this command.

The persistent information about this condition being triggered is gathered by looking at some counters inside the NPs.


For NP6-based devices, this information is stored in the below counters returned by the following command:

diag npu np6 dce x ( x being the Np identifier)
PDQ_OSW_HRX1 :0000000021737063 PDQ_OSW_HRX0 :0000000022951677


For NP7-based devices, there are 2 ways to get this information:

diag npu np7 dce-drop-all all

Search for the <DSW drop counters> section or use:

diag npu np7 dsw-drop-all all

<DSW drop counters>
SSE0 -> HRX 2895874639
SSE1 -> HRX 3008246856
SSE2 -> HRX 2952770306
SSE3 -> HRX 2930790221


Among the various counters printed, if the above counters are incrementing, this is an indication that this packet is matching the loss condition.
These commands are to be used and interpreted with the assistance of a Fortinet technical engineer.