FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
stroia
Staff
Staff
Article Id 314673
Description This article describes how to troubleshoot slow SMB traffic transfer over FortiGate SD-WAN.
Scope

FortiGate SD-WAN.

Solution

SMB (The Server Message Block) is a client-server communication protocol using ports 139 and 445 with TCP.

This protocol is used to provide access to files, printers, serial ports and other resources on a network, while ‍Samba is an open-source implementation of the SMB protocol.

Typically, SMB is used to access a file hosted in a shared folder on a remote server.  The article provides a guide about how to troubleshoot when expiring slowness with download or upload files.

 

A bottom-up troubleshooting approach following ISO Model is recommended. 

 

Connections status analysis: on Fortinet SD-WAN, Underlays or Overlays connections must be mapped as SD-WAN Members.To discover a performance degradation on a SD-WAN member monitored with a Performance SLA, there are 3 ways:

  • Via the FortiGate GUI: navigate to Network -> SD-WAN -> Performance SLA (third tab). Below is an example of a temporary 100% packet loss on 1 of 2 members monitored:

1 Performance SLA.png

 

  • Via the FortiGate CLI: run the following command:

diagnose sys sdwan health-check

 

2 Performance SLA via CLI.png

 

  • Via FortiAnalyzer: Log View -> Fortigate -> Event -> SD-WAN:

3 Performance SLA via FAZ.png

 

More detailed information can be found in this document: Administration guide: Monitoring performance-sla.

 

In cases where IPsec tunnels are used as SD-WAN members, an underlay degradation can usually cause IPsec flaps. It is possible to verify IPsec tunnel stability by analyzing VPN Logs under Log & Report -> System Event -> VPN Events:

 

4 IPSec flaps.png

 

Poor underlay performance is only one of the possible causes of IPsec instability.

To find out the root cause, it is necessary to debug the ike demon responsible for IPsec tunnel installation and maintenance.

More details can be found in these articles:

SD-WAN Rules configuration analysis: to understand if the SD-WAN is properly configured, it is necessary to first verify which one is steering the traffic with the slowdown issues.

Here are two ways to find the matching rule:

  • Analyze traffic logs under Log & Report -> Forward Traffic (add the 'SD-WAN Rule Name' column by right-clicking on the column’s title row and selecting it) by applying the necessary filters:

5 Find matching SDWAN rule.png

 

  • Use the following command with the proper filters:

diagnose session list

 

6 session list output.png

 

More details about how to do this are available here: Technical Tip: How to find the SD-WAN rule and SD-WAN member used.

When analyzing SD-WAN logs, remember the following:

One possible cause for the issue is if the rule that steers SMB traffic uses a Load Balance Strategy (called Maximize Bandwidth (SLA) prior to FortiOS v7.4.1 firmware), as in this example:

 

7 SDWAN rules conf load balance.png

 

This could be the cause of the issue.

 

A huge amount of SMB traffic is managed by different sessions by FortiGate, so if the SD-WAN rule matched a used Load Balance strategy, traffic is equally distributed per session with a round-robin algorithm between all rule SD-WAN members in SLA (as explained in Administration Guide: Load balancing strategy) and shown on logs for a transfer file using SMB:

 

8 Load balance strategy logs.png

 

It is possible to force traffic to use only the best member with a new rule moved on top of an existing one and configured with proper IP/subnets and a Best Quality strategy. For example:

 

9 SDWAN rules conf - Best quality strategy.png

 

The SD-WAN Best Quality strategy chooses the best link to forward traffic comparing the 'link-cost-factor' defined via health-check, as shown in the following logs for a file transfer via SMB:

 

11 SDWAN rules Best quality logs.png

 

More details about Best Quality strategy can be found here: Administration Guide: Best Quality strategy.

 

The SD-WAN rule member used is the one with the black tick:

 

12 Used Member.png

 

If the issue is still not resolved after all of the analysis and tests described above, investigate the following:

  • Firewall policy configuration (for example, it may be necessary to allow pinging for an ICMP client server to permit the client server probe mechanism to work).
  • Packet fragmentation and IPsec tunnel drops, as explained here: Technical Tip: IP Packet fragmentation over IPsec tunnel.

To identify the root cause, it may be necessary to analyze traffic captures:

Note the following:

  • Offloaded traffic is not shown from the built-in traffic capture FortiOS tool on a FortiGate hardware model. It is necessary to disable offloading on the firewall policy (as explained in the Disabling np offloading for firewall policies documentation) and on IPsec tunnel phase1 (as explained in the Disabling NP offloading for individual IPsec VPN phase 1 documentation) to see all traffic.
  • When IPsec phase1 offload is disabled, all IPsec tunnels are flushed and a rekey process starts. While in progress, this operation affects traffic.

 

Other related documents: