|
This issue only affects NP7 models. Check the model of the FortiGate and confirm if it uses an NP7 processor or not.
Sometimes, after a firmware upgrade, FortiGate traffic starts failing on the interface, and even the IP address configured on the interface is not reachable.
config system interface
edit "VLAN 1118"
set vdom "Internet"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping
set inbandwidth 10000
set monitor-bandwidth enable
set role lan
set snmp-index 53
set interface "port1"
set vlanid 1118
next
end
Running a sniffer in this case shows that ARP requests are reaching the FortiGate: an ARP reply is seen with an NPU sniffer as well, but the traffic still fails. The ARP reply fails to make it to the FortiGate, causing ARP to fail.
diagnose sniffer packet any 'host 192.168.1.1 and arp' 4 0 a
interfaces=[any]
filters=[host 192.168.1.1 and arp]
2024-04-22 08:48:41.454732 VLAN 1118 out arp who-has 192.168.1.100 tell 192.168.1.1
2024-04-22 08:48:41.454737 port3 out arp who-has 192.168.1.100 tell 192.168.1.1
2024-04-22 08:48:41.455056 npudbg in arp reply 192.168.1.100 is-at 00:70:6f:72:27:02 <- The client is responding, but this packet gets dropped at NPU.
This is a known issue that was identified and documented under bug ID 901621. See the FortiOS v7.2.6 release notes and FortiOS v7.6.0 release notes.
Either of these two workarounds can help resolve the issue.
- Disable inbandwidth/outbandwidth on the interface.
config system interface
edit "VLAN 1118"
unset inbandwidth
unset outbandwidth
next
end
-
Change the default-qos-type from shaping to policing. The FortiGate will need to restart after this change.
config system npu
set default-qos-type policing
end
Note:
For details regarding the fix, check the release notes of newer FortiOS releases.
|
