Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
eowusu
Staff
Staff

Created on ‎10-18-2023 09:37 PM Edited on ‎12-24-2025 04:56 AM By Community Manager

Article Id 279728

Troubleshooting Tip: Traffic shaper dropping traffic due to exceeded shaper limit

Description

 

This article describes that the user's outgoing traffic stops passing and is mostly unable to browse the internet when a traffic shaper is configured with limited bandwidth allocated.

 

Scope

 

FortiGate.

 

Solution

 

  1. Run debug flow trace on the FortiGate and check the output:

 

diagnose debug disable

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow filter addr X.X.X.X <----- IP address of interesting traffic.
diagnose debug console timestamp enable
diagnose debug flow show iprope enable

diagnose debug flow show function-name enable
diagnose debug flow trace start 100 <----- This will display 100 packets for this flow.
diagnose debug enable

 

The output will look like what is displayed below:

 

2023-09-28 09:15:33 id=65308 trace_id=11 func=print_pkt_detail line=5779 msg="vd-root:0 received a packet(proto=1, 10.27.2.231:1->8.8.8.8:2048) tun_id=0.0.0.0 from LAN Aggregate. type=8, code=0, id=1, seq=1527." --> The FortiGate receives the ICMP ping packet from the LAN side.
2023-09-28 09:15:33 id=65308 trace_id=11 func=init_ip_session_common line=5964 msg="allocate a new session-0adb8d22, tun_id=0.0.0.0" --> No existing session found, so a new one is allocated.
2023-09-28 09:15:33 id=65308 trace_id=11 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2130837505: to 8.8.8.8 via ifindex-34" --> Matches a policy route (ID 2130837505) forcing traffic to 8.8.8.8 out interface index 34.
2023-09-28 09:15:33 id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-168.8.168.1 via PeachNet-WAN"  --> Finds the outbound route: gateway 168.8.168.1 via interface "PeachNet-WAN".
2023-09-28 09:15:33 id=65308 trace_id=11 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=10"  
2023-09-28 09:15:33 id=65308 trace_id=11 func=get_new_addr line=1231 msg="find SNAT: IP-168.8.168.250(from IPPOOL), port-60418" --> Performs Source NAT (SNAT) using an IP pool.
2023-09-28 09:15:33 id=65308 trace_id=11 func=fw_forward_handler line=990 msg="Allowed by Policy-9: SNAT" --> The packet is allowed by firewall policy ID 9, which includes SNAT.
2023-09-28 09:15:33 id=65308 trace_id=11 func=shaper_handler line=884 msg="exceeded shaper limit, drop"

 

To stop the debug flow:

 

diagnose debug disable

diagnose debug reset

 

  1. Once the message indicates an exceeded shaper limit, drop, check the traffic shaping policy, and adjust the shaping policy to accommodate more bandwidth or disable the traffic shaping policy.

 

Related documents:

Technical Tip: How to configure and check which traffic shaper is used

Traffic shaping policies

5766
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.