Technical Tip: 'fgtlogd' Daemon Consumes High Memory When FortiGate and FortiAnalyzer Connectivity is Unstable

ssanga · ‎11-19-2024

Description

This article describes an issue where the 'fgtlogd' daemon utilizes high memory, causing the FortiGate to enter Memory Conserve Mode. The issue is triggered when the connectivity between the FortiGate and FortiAnalyzer is unstable (flapping).

Scope

FortiGate v7.2.8, v7.4.1, v7.4.2, v7.4.3, v7.4.4.

Solution

A gradual increase in memory usage by the 'fgtlogd' daemon has been observed on FortiGate devices running the above-mentioned versions.

Below are examples of memory usage at different timestamps:

Sat Mar 30 18:06:44 GMT 2024:

# get system performance status
Memory: 1964180k total, 882068k used (44.9%), 939808k free (47.8%), 142304k freeable (7.3%)

# diagnose sys top 1 20 20
Run Time: 0 days, 17 hours and 31 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1918T, 917F
fgtlogd 174 S 0.0 6.7 2

# diagnose sys top-mem 20
fgtlogd (174): 118238kB

Tue Apr 2 15:06:32 GMT 2024:

# get system performance status
Memory: 1964180k total, 1289960k used (65.7%), 460236k free (23.4%), 213984k freeable (10.9%)

# diagnose sys top 1 20 20
Run Time: 3 days, 14 hours and 31 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1918T, 449F
fgtlogd 174 S 0.0 25.3 1

# diagnose sys top-mem 20
fgtlogd (174): 484459kB

The gradual increase in memory usage occurs when connectivity between the FortiGate and FortiAnalyzer keeps flapping.

The following logs from the System Events and 'fgtlogd' debugs show connectivity issues between the FortiGate and FortiAnalyzer.

System Events:

time=06:42:28 id=7373905857316127276 itime="2024-05-28 12:40:47" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702081639 logid=0100022901 type=event subtype=system level=notice action=connect msg="Connected to FortiAnalyzer 173.19.1.171" logdesc="FortiAnalyzer connection up" status=success eventtime=1716849748613732920 tz=+0800 devid=FGR60FTK***** vd=root dtime="2024-05-28 06:42:28" itime_t=1716871247 devname=FGR60F

time=06:42:28 id=7373905827251357952 itime="2024-05-28 12:40:40" euid=3 epid=3 dsteuid=3 dstepid=3 logver=702081639 logid=0100022902 type=event subtype=system level=notice action=disconnect msg="Disconnected from FortiAnalyzer 173.19.1.171" logdesc="FortiAnalyzer connection down" status=success reason="connection close" eventtime=1716849748179077360 tz=+0800 devid=FGR60FTK***** vd=root dtime="2024-05-28 06:42:28" itime_t=1716871240 devname=FGR60F

Debugs:

diagnose debug application fgtlogd -1
diagnose debug console timestamp enable
diagnose debug enable

# 2024-11-05 11:50:36 <275> _build_keep_alive_usage_pkt()-832: Pushed keepalive packet to queue for global-faz.
2024-11-05 11:50:36 <275> _send_queue_item()-565: type=11, cat=0, logcount=0, len=0
2024-11-05 11:50:36 <275> __on_pkt_recv()-1619: dev=global-faz type=11 pkt_len=21
2024-11-05 11:50:36 <275> __on_pkt_recv()-1619: opt=52, opt_len=9
2024-11-05 11:50:37 <275> fgtlog_faz_stop_conn()-970: faz:X.X.X.X connection close. reason:SD-WAN rule is changed.
(or)
<211> _check_oftp_certificate()-455: checking sn:FAZ-VMTM21005609 vs cert sn:FAZ-VMTMXXXXXX
<211> _check_oftp_certificate()-463: The certificate CN (FAZ-VMTMXXXXXX) doesn't match the Serial numbers sent by X.X.X.X

This issue has been resolved in v7.2.9, v7.4.5, v7.6.0

Workaround:
Use an automation stitch or manually kill the daemon using the command 'fnsysctl killall fgtlogd' until the root cause of the disconnection between the FortiGate and FortiAnalyzer is identified and fixed.