If the output of 'fnsysctl ifconfig [INTERFACE]' shows that the RX packets continue to increase but the TX packets stop increasing, the FortiGate is matching the issue. This issue can affect physical interfaces, VLAN interfaces, and aggregate interfaces.

FortiGate # fnsysctl ifconfig port1

port1 Link encap:Ethernet HWaddr 00:09:0F:09:00:00

        link-local6: fe80::7a18:ecff:fe0f:a54e prefixlen 64

        UP BROADCAST MULTICAST MTU:1500 Metric:1

        RX packets:40094 errors:0 dropped:0 overruns:0 frame:0

        TX packets:51209 errors:0 dropped:0 overruns:0 carrier:0

        collisions:0 txqueuelen:1000

        RX bytes:10919576 (10.4 MB)  TX bytes:28821399 (27.5 MB)

FortiGate # fnsysctl ifconfig port1

port1 Link encap:Ethernet HWaddr 00:09:0F:09:00:00

        link-local6: fe80::7a18:ecff:fe0f:a54e prefixlen 64

        UP BROADCAST MULTICAST MTU:1500 Metric:1

        RX packets:40153 errors:0 dropped:0 overruns:0 frame:0

        TX packets:51209 errors:0 dropped:0 overruns:0 carrier:0

        collisions:0 txqueuelen:1000

        RX bytes:10924673 (10.4 MB)  TX bytes:28821399 (27.5 MB)

In an issue with NP7 and LAG interfaces:

fnsysctl cat /proc/net/np7/lag

Find out the OID of the LAG interface with the TX issue. For example, 202.

diagnose npu np7 readtbl 0 cdb_tpact_tbl 0 202

If the trunk_vld/trunk_num value is abnormal 00000000, it matches.

Issue with NP7 and physical interfaces scenario:

diagnose hardware deviceinfo nic port14 | grep oid

Find out the OID of the physical interface with TX issues. For example, 141.

diagnose npu np7 readtbl 0 cdb_tpact_tbl 0 141

If the tpe_id/mac_id value is an abnormal 00000000, and if the NP7 L2P_drop_counter is increasing, it matches.

This issue is documented as part of known issue 1164092, which is resolved in v7.2.12. 

v7.2.10, v7.4.x and v7.6.x are not affected by this issue. It may be possible to fix this by rolling back to the previous firmware version by booting off the backup partition. For more details, see Technical Tip: Selecting an alternate firmware for the next reboot.

Workaround:

Any of the 2 workarounds outlined below can be used.

1. Disable offloading on all firewall policies. This will prevent the issue from occurring.

config firewall policy

edit [ID]

set auto-asic-offload disable

next

end

2. If disabling offloading is not an option, filtering the NPU sniffer on the physical or aggregate interface (not on the VLAN interface) with the transmission issues will allow traffic to start working again. With this workaround, the transmission issues may still occur afterwards.
   
   

diagnose npu sniffer filter intf [INTERFACE]

diagnose npu sniffer filter dir 2

diagnose npu sniffer start

diagnose sniffer packet npudbg "none" 4 0 l

'CTRL+C' after 5 seconds to stop the sniffer.

diagnose npu sniffer stop

Related article:

Viewing your FortiGate NP7 processor configuration - FortiGate 7.6.3 hardware acceleration guide