Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Staff
Staff

Created on ‎09-19-2024 05:19 AM Edited on ‎04-11-2025 07:15 AM By Moderator

Article Id 342449

Troubleshooting Tip: Troubleshooting Guidelines when using the SD-WAN Bandwidth/Network Monitoring Service

Description

This article describes how SD-WAN Bandwidth/Network monitoring service is a licensed service that helps determine the network bandwidth by executing a speed test towards a cloud server. 


The results can be used to help configure interface bandwidth which can further be used with traffic shaping. The server is on the cloud which is maintained by Fortinet. This article shares some troubleshooting steps when running into issues while trying to initiate the test.
Scope FortiGate devices that have a valid SD-WAN bandwidth monitoring license.
Solution

The guidelines on how to initiate the speed test are available in Technical Tip: How to perform SpeedTest.

At times, the speed test may fail to execute successfully. Following the guidelines below may provide further insight into the issue.

 

Step 1: Check whether the device is in HA. Make sure all devices in HA have the SD-WAN bandwidth monitor license. If the license is available for only one device in HA, the test will fail.

 

Step 2: Check connectivity to the internet.

FortiGate should be able to reach the internet from the interface where the speed test needs to be executed.

FortiGate should also be able to resolve domains or URLs using its system DNS:


execute ping productapi.fortinet.com

 

Step 3: Validate in the FortiGate that the system time seen is up to date.

A time difference of more than 10 seconds between the FGT and the cloud server can cause issues with the authentication with the speed test cloud server. Having the FortiGate sync its time with an NTP server would help resolve this time difference.

Step 4: Initiate a fresh download of the list of speed test servers available currently.

 

config system speed-test-server
purge
y
end

execute speed-test-server download

Step 5: Validate the server list shown in the list.

 

execute speed-test-server list

Check the listed server groups for various regions. Make sure they show as valid.
Pick a region and then initiate the test towards it.

execute speed-test <interface_name> <mention one region as seen from listed output>

 

Do the test against multiple regions.

 

Step 6: forticldd daemon handles the service. Collect debugs for the daemon to identify any possible error.

 

diagnose debug reset
diagnose debug console timestamp en
diagnose debug application forticldd -1
diagnose debug enable


Initiate the speed test either from the GUI or from the CLI.

Check the IP of the server that is trying to connect to.

 

FW # [669] fds_https_stop_server: 154.52.13.199:443
[574] fds_https_timeout: Connection timed out, svr=productapi-svr
[240] fds_svr_default_on_error: productapi-svr: ip=154.52.13.199:443, reason=4
[257] fds_svr_default_on_error: productapi-svr: Conn failes 1/1
[280] fds_svr_default_on_error: productapi-svr: req-id=25, num_try=1, read=0, reason=4
[471] fds_free_tsk: cmd=25; req.noreply=0
[527] fds_send_reply: Sending 0 bytes data.
[550] fds_send_reply: send reply failed: req-25, Connection refused
[188] fds_svr_default_task_xmit: try to get IPs for productapi-svr
[258] fds_resolv_addr: resolve 'productapi.fortinet.com'
[189] fds_get_addr: name=productapi.fortinet.com, id=46032, cb=0xbd1db0
[52] dns_parse_resp: DNS resp-id=46032
[105] dns_parse_resp: DNS productapi.fortinet.com -> 154.52.13.199
[1442] fds_svr_add_server: Server 'productapi-svr' addr '154.52.13.199' is added.
[139] fds_svr_default_pickup_server: productapi-svr: 154.52.13.199:443


Step 7: A packet capture from the GUI or sniffer from CLI.

 

Use the IP as seen from the above: 154.52.13.199. 
Note: This IP is not static. It is changing frequently.

diagnose sniffer packet any 'host 154.52.13.199' 6 0 l

 

In the above command, '6' denotes the verbose level, '0' denotes the number of packets to be captured (0 means unlimited), and 'l' (small L) denotes a local timestamp.

Initiate the speedtest from the GUI or CLI.

Scenario: speed-test-server list cannot be downloaded in the ECMP case with FortiOS version 7.2.
 
FW # execute speed-test-server download
Download timeout.
 
FW # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via CVN tunnel 185.144.222.244, [1/0]
             [1/0] via DVPN tunnel 194.74.74.202, [1/0]
             [1/0] via 10.149.84.184, FER, [1/0]
             [1/0] via AZURE-VPN tunnel 20.92.14.36, [1/0]
 
In sniffer, it is observed that related packets are sent over the wrong interface.
 
There is no way to specify an outgoing source IP to download the speed-test-server.
 
An outgoing interface could be specified when performing speed-test via the command 'execute speed-test <interface><region>'.
 
Also, a static route to the IP seen in the forticldd debugs should be configured via the specific interface.
 
This issue has been resolved in v7.4.1.

 

Related articles: 
Technical Tip: SD-WAN Bandwidth monitoring speed test shows Failed Dependency error 

Technical Tip: SD-WAN Bandwidth monitoring service 
1035
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.