Created on 09-16-2024 12:23 AM Edited on 11-04-2024 06:25 AM By Jean-Philippe_P
This article describes how to troubleshoot slowness issue related to drops on FortiGate firewall with np6 models without IS.
Only NP6 models without ISF are affected by this.
If there is slowness observed for Traffic going from 10G to 1G link and in sniffer, observed retransmission and those dropped packets sequence numbers are seen to be sent out of FortiGate and even if there are no drops in NPU by running the command 'diagnose npu np6 dce' but anyhow it is confirmed that FortiGate is dropping packets (either by span capture on the switch or other ways).
Check incoming and outgoing interface speed and its mapping to NPU by running the below command.
diagnose hardware deviceinfo nic <portno>
diagnose npu np6 port-list
And refer to the fast path architecture and check if there is ISF present over those ports. If not, then run the below commands:
diagnose npu np6 gmac-stats 0 <----- For 1G link.
diagnose npu np6 xgmac-stats 0 <----- For 10G link.
If finding the TX_XPX_QFULL counter is incrementing, it means the buffer is getting full due to burst traffic and dropping packets.
This is the hardware limitation.
The only solution is to go for np7 models or np6 models which have ISF or use a 10G to 10G link.
Workaround.
To mitigate this issue the below change can be performed:
config system npu
set host-shortcut-mode host-shortcut
end
Related document:
Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.