- Using the diagnose command:
fnsysctl ifconfig <physical port>
Example:
fnsysctl ifconfig internal6
internal6 Link encap:Ethernet HWaddr 00:09:0F:09:00:07
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:450707 errors:0 dropped:0 overruns:0 frame:0
TX packets:443318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:187031063 (178.4 MB) TX bytes:185751500 (177.1 MB)
The diagnose command will show the following:
RX packets:450707 errors:0 dropped:0 overruns:0 frame:0
TX packets:443318 errors:0 dropped:0 overruns:0 carrier:0
The dropped counters mean the following:
- RX dropped: Packets received by hardware but dropped before reaching the software (kernel).
- TX dropped: Packets given to the NIC driver for transmission but the driver rejected them (e.g., queue full, or transmission error at the kernel level).
In this case:
RX dropped:0
TX dropped:0
The Linux kernel sees no drops at its level.
- Using the diagnose command:
diagnose hardware deviceinfo nic internal5 -> (hardware/NP view)
Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :80F
lif id :6
lif oid :70
netdev oid :70
Current_HWaddr 00:09:0f:09:00:06
Permanent_HWaddr 84:39:8f:8f:db:b2
========== Link Status ==========
Admin :up
netdev status :up
autonego_setting :1
link_setting :1
speed_setting :1000
duplex_setting :0
Speed :1000
Duplex :Full
link_status :Up
============ Counters ===========
Rx Pkts :862330
Rx Bytes :386938003
Tx Pkts :1585124
Tx Bytes :940579100
Host Rx Pkts :862330
Host Rx Bytes :374865383
Host Tx Pkts :1618269
Host Tx Bytes :959685488
Host Tx dropped :33145
FragTxCreate :0
FragTxOk :0
FragTxDrop :0
np_rx_pkts :862330
np_rx_bytes :390387323
np_rx_mc_pkts :0
np_rx_bc_pkts :478784
np_tx_pkts :1585124
np_tx_bytes :946948018
np_tx_mc_pkts :0
np_tx_bc_pkts :471745
Diagnose command is querying the hardware (FortiASIC NP6XLITE) counters at a lower level inside the FortiGate, not the Linux kernel.
Host Tx dropped means:
Packets generated by the FortiGate CPU (host) intended to be transmitted through the NP6 hardware, but the NP6 dropped them.
Possible reasons include:
- NP6 internal congestion (resource exhaustion).
- NP6 queue full.
- Invalid packets (e.g., incorrect checksum, internal processing error).
- Traffic shaping or flow control triggered.
In this example:
Host Tx dropped: 33145
The hardware (NP6XLITE) dropped 33,145 packets that the FortiGate host (main CPU) tried to send.
fnsysctl ifconfig dropped:
- Layer: Linux Kernel network stack.
- Context: OS-level driver drop.
- Significance: Kernel unable to process.
Host Tx dropped (deviceinfo):
- Layer: FortiGate Hardware (ASIC/NP6)
- Context: Hardware-level (NP6 engine) drop
- Significance: Hardware dropped outgoing packets
Even if the kernel (ifconfig) reports no drops, the hardware (NP) may be dropping.
This could impact real traffic (e.g., sessions lost, retransmissions, performance degradation).
Especially important under heavy load, high session rate, bandwidth saturation, or suboptimal NP6 offload tuning.
Check if CPU usage is high (get system performance top, diagnose sys top).
Check session counts (diagnose sys session stat).
Check if NP6 is overloaded (diagnose npu np6lite stat or diagnose npu np6lite port-stat).
Analyze traffic patterns (e.g., bursty traffic, lots of small packets).
Review offload settings (ensure traffic is properly accelerated by NP6 when possible).
In extreme cases: firmware updates (some FortiOS versions improve NP6 behavior), or traffic engineering.
Related article:
|
