FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ddabhade
Staff
Staff
Description This article explains why the interface TX/RX shows the wrong counter for the EMAC interface configured in VLAN for NP6/ NP6XLIGHT platform.
Scope Fortigate.
Solution

By design, FortiOS does not support Tx/RX counter of EMAC interface for the NP6/ NP6XLIGHT platform if the EMAC interface is configured on the 'VLAN' interface. It shows wrong TX/RX stats than actual traffic.

 

Refer to the below sample config:

 

# config system interface
    edit "EMAC_VLAN_Intetface"
        set vdom "root"
        set ip x.x.x.x x.x.x.x
        set type emac-vlan <----------
        set interface "VLAN_100" <-------- 
    next
    edit "VLAN_100"
        set vdom "root"
        set interface "portx/LACP"
        set vlanid 100 <- it could be any VLAN id.
    next
end

 

After initiating the traffic, it is possible to observe wrong stats for the EMAC VLAN interface than the actual traffic sent.

 

FGT # fnsysctl ifconfig EMAC_VLAN_Intetface
EMAC_VLAN_Intetface Link encap:Ethernet HWaddr 0:A00:00:00:00:00
        inet addr:x.x.x.x Bcast:x.x.x.x Mask:x.x.x.x
        UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
        RX packets:262 errors:0 dropped:0 overruns:0 frame:0 <- show less value.
        TX packets:127 errors:0 dropped:0 overruns:0 carrier:0 <- show less value.
        collisions:0 txqueuelen:0
        RX bytes:15849 (15.5 KB) TX bytes:7498 (7.3 KB)

FGT # fnsysctl ifconfig VLAN_100
VLAN_100 Link encap:Ethernet HWaddr E8:1C:BA:EF:AA:AA
        UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
        RX packets:159220 errors:0 dropped:0 overruns:0 frame:0 <- show more value.
        TX packets:260834 errors:0 dropped:0 overruns:0 carrier:0 <- show more value.
        collisions:0 txqueuelen:0
        RX bytes:13562384 (12.9 MB) TX bytes:387906579 (369.9 MB)

 

For a workaround, disable the auto-asic-offload on firewall policy to get the exact TX/RX counter in CLI and GUI.

 

# config firewall policy
    edit <id>
        set auto-asic-offload disable
end