Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cphi
Staff & Editor
Staff & Editor

Created on ‎06-15-2025 12:57 PM Edited on ‎09-16-2025 10:07 PM By Moderator

Article Id 396301

Troubleshooting Tip: NP7 FortiGates on v7.2.11 may stop sending traffic out on certain interfaces

Description This article describes an issue where an NP7 FortiGate on v7.2.11 may stop sending traffic out on certain interfaces due to a change in the destination MAC address or a FIB table change.
Scope FortiGate v7.2.11.
Solution

If the output of 'fnsysctl ifconfig [INTERFACE]' shows that the RX packets continue to increase but the TX packets stop increasing, the FortiGate is matching the issue. This issue can affect physical interfaces, VLAN interfaces, and aggregate interfaces.

 

FortiGate # fnsysctl ifconfig port1

port1 Link encap:Ethernet HWaddr 00:09:0F:09:00:00

        link-local6: fe80::7a18:ecff:fe0f:a54e prefixlen 64

        UP BROADCAST MULTICAST MTU:1500 Metric:1

        RX packets:40094 errors:0 dropped:0 overruns:0 frame:0

        TX packets:51209 errors:0 dropped:0 overruns:0 carrier:0

        collisions:0 txqueuelen:1000

        RX bytes:10919576 (10.4 MB)  TX bytes:28821399 (27.5 MB)

 

FortiGate # fnsysctl ifconfig port1

port1 Link encap:Ethernet HWaddr 00:09:0F:09:00:00

        link-local6: fe80::7a18:ecff:fe0f:a54e prefixlen 64

        UP BROADCAST MULTICAST MTU:1500 Metric:1

        RX packets:40153 errors:0 dropped:0 overruns:0 frame:0

        TX packets:51209 errors:0 dropped:0 overruns:0 carrier:0

        collisions:0 txqueuelen:1000

        RX bytes:10924673 (10.4 MB)  TX bytes:28821399 (27.5 MB)

 

This issue is documented as part of known issue 1164092 which is resolved in v7.2.12. 

v7.2.10, v7.4.x and v7.6.x are not affected by this issue. It may be possible to roll back to the previous firmware version by booting off the backup partition. For more details, see Technical Tip: Selecting an alternate firmware for the next reboot.

 

Workaround:

Any of the 2 workarounds outlined below can be used.

  1. Disable offloading on all firewall policies. This will prevent the issue from occurring.

 

config firewall policy

edit [ID]

set auto-asic-offload disable

next

end

 

  1. If disabling offloading is not an option, filtering the NPU sniffer on the physical or aggregate interface (not on the VLAN interface) with the transmission issues will allow traffic to start working again. With this workaround, the transmission issues may still occur afterwards.

diagnose npu sniffer filter intf [INTERFACE]

diagnose npu sniffer filter dir 2

diagnose npu sniffer start

diagnose sniffer packet npudbg "none" 4 0 l

 

'CTRL+C' after 5 seconds to stop the sniffer.

 

diagnose npu sniffer stop

 

Related article:

Viewing your FortiGate NP7 processor configuration - FortiGate 7.6.3 hardware acceleration guide 
1954
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.