|
If a user experiences intermittent internet traffic, review the following steps to resolve the issue.
Confirm whether there is any configuration for traffic shaping. If it is the case, set up the sniffer and get one of the users behind the firewall to initiate the traffic continuously.
Sniffer command:
diagnose sniffer packet any ‘ host x.x.x.x and icmp ‘ 4 0 l <----- x is the destination IP for the user.
Collect the Session list with the following commands:
diagnose sys session filter src x.x.x.x <----- x user source IP.
diagnose sys session filter dst y.y.y.y <----- Y Destination IP.
diagnose sys session filter proto 1
diagnose sys session list
Confirm the output of the following fields that confirm whether it matches the traffic shaping or not:
session info: proto=1 proto_state=00 duration=14 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=Test Policy prio=2 guarantee 2500000Bps max 2500000Bps traffic 100Bps drops 0B
reply-shaper=2O-D5 Policy prio=2 guarantee 2500000Bps max 2500000Bps traffic 100Bps drops 0B
per_ip_shaper=
class_id=0 shaping_policy_id=1 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
If it is the case, run the following commands to know if the issue appears to be NP-related.
fnsysctl date
diagnose npu np7 dce-drop-all all
diagnose npu np7 pdq 0
diagnose npu np7 pba 0
diagnose npu np7 dsw-ingress-stats 0
diagnose npu np7 dsw-egress-stats 0
diagnose npu np7 sse-stats 0
fnsysctl cat /proc/net/np7/np7_0/tbl/dce_dce0
fnsysctl cat /proc/net/np7/np7_0/tbl/dce_dce2
fnsysctl cat /proc/net/np7/np7_0/tbl/dce_dce4
fnsysctl cat /proc/net/np7/np7_0/hif_que
fnsysctl cat /proc/net/np7/np7_0/hif_intc
fnsysctl cat /proc/net/np7/np7_0/hif_intr
fnsysctl cat /proc/net/np7/np7_0/hif_stats
fnsysctl cat /proc/net/np7/np7_0/msg
fnsysctl cat /proc/net/np7/qtm
fnsysctl cat /proc/net/np7/tpe_stats
fnsysctl cat /proc/net/np7/qtm_stat
fnsysctl cat /proc/net/np7/tpe_stats
diagnose npu np7 getreg 0 qtm.qtm_dbg <----- Run multiple times.
Test# diag npu np7 getreg 0 qtm.qtm_dbg
qtm_dbg (00060680)
queue_deq_pkt_cnt = f1d92826 (00060680) <RO>
queue_deq_byte_cnt = da72df9e (00060688) <RO>
sch0_enq_req_cnt = fa5b66a7 (00060690) <RO>
sch0_enq_succ_cnt = f323009b (00060698) <RO>
sch0_enq_drop_cnt = 08813f09 (000606a0) <RO> <----- Check counter.
sch0_deq_cnt = f1d92860 (000606a8) <RO>
Test# diag npu np7 getreg 0 qtm.qtm_dbg
qtm_dbg (00060680)
queue_deq_pkt_cnt = f1d92826 (00060680) <RO>
queue_deq_byte_cnt = da72df9e (00060688) <RO>
sch0_enq_req_cnt = fa6acdb2 (00060690) <RO>
sch0_enq_succ_cnt = f332612c (00060698) <RO>
sch0_enq_drop_cnt = 0890a614 (000606a0) <RO> <----- Increased Counters.
sch0_deq_cnt = f1d92860 (000606a8) <RO>
Note:
Run the above command multiple times and observe the highlighted field count multiple times. Try to disable the Traffic shaping policy and check whether the traffic is passing correctly or not. If it is the case, open a TAC case and provide the NP7 Logs for further information.
Super Admin privilege is required to run the 'fnsysctl' command. Otherwise, FortiGate will return an error, as explained in Troubleshooting Tip: fnsysctl command returns Unknown action 0
In some cases, a valid workaround would be to change the QOS-type under NPU configuration:
config system npu
set default-qos-type policing
end
WARNING: When default-qos-type is set to shaping max-receive-unit should also be set to 6000, and all interface MTUs should be set to 6000 or less. Interface MTU will be lowered automatically.
The configuration will take effect after system reboot.
Do you want to continue? (y/n)y
|
