• Network Setup: VDOM1/2 connected directly over LAG, with EMAC interfaces used.
• Issue: After upgrading, EMAC interfaces cannot ping each other, resulting in ICMP destination unreachable errors:

FortiGate (vdom1) # exec ping 33.33.33.2
PING 33.33.33.2 (33.33.33.2): 56 data bytes
Warning: Got ICMP 3 (Destination Unreachable)
^C
--- 33.33.33.2 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

• HTX Drop: Traffic drops are seen in the htx drop counters when the issue occurs:

[NP7_0]
Module SSE_TPE EGR_FLOW IGR_FLOW TPE MAC_FILTER ETH_ACT TGT_ACT SRC_ACT Total
--------------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
htx 0 0 0 0 0 0 5 0 5
--------------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
Total_drop : 5

• Egress-Shaping Issue: Traffic is blocked when egress-shaping is applied on the EMAC-VLAN interface. Removing and reapplying the shaping profile temporarily resolves the issue, but it reoccurs after a reboot.

• IVS Conflict: Both QTM (Quantum Management) and EMAC-VLAN interfaces use IVS (Interface Virtual Switch). Applying egress-shaping on the EMAC-VLAN interface creates a conflict between QTM's IVS and EMAC-VLAN's IVS, leading to blocked traffic.

• NP7 Limitation: NP7 currently supports only physical, VLAN, LAG, and IPsec tunnel interfaces. The EMAC-VLAN interface with egress-shaping applied is unsupported, causing the issue.

Resolving the issue:

Unset the egress-shaping profile and then set it back.