Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nweckel
Staff
Staff

Created on ‎03-20-2025 05:07 AM Edited on ‎03-30-2025 09:59 PM By Community Manager

Article Id 383123

Troubleshooting Tip: Packet loss after applying traffic shaper on FortiGate-9xG and 12xG

Description This article describes an issue regarding packet loss on traffic after setting the traffic shaper on FortiGate 9xG and 12xG
Scope FortiGate-9xG and 12xG
Solution

When the traffic shaping policy is enabled, packet loss is observed in the communication. The packet loss is not due to the traffic shaper as the traffic does not reach the limit set.

Refer to Troubleshooting Tip: Traffic shaping for further information related to traffic shaping configured on the FortiGate.

 

To troubleshoot this issue, disable offloading in the firewall policy configured with the traffic-shaper:

 

config firewall policy

edit X <----- Replace X with the firewall policy ID.

set auto-asic-offload disable

end

 

 

If, after this change, packet loss is no longer observed in the communication the problem could be due to know issue ID 1075607.

 

To get confirmation from TAC, create a new ticket referencing ID 1075607 and attach outputs of the following CLI commands with auto-asic-offload enable in the firewall policy:

 

execute time
execute date

get system status
get system performance status
get system session-info full-stat
diagnose hardware deviceinfo nic
diagnose npu np7 pmon
diagnose npu np7 dce-drop-all
diagnose npu np7 sse-stats
diagnose npu np7 sse-cmd-stats
diagnose npu np7 cgmac-stats
diagnose npu np7 msg summary
diagnose npu np7 hif-stats
diagnose npu np7lite hif-stats
diagnose npu np7lite dce-drop-all 0 v
diagnose npu np7lite pba 0
diagnose npu np7lite sse-stats 0
diagnose npu np7lite dsw-qtbl-stats 0 verbose
diagnose npu np7lite dce-eng-drop all
diagnose npu np7lite dce-dsw-drop all
diagnose npu np7lite dce-eng-stats ll
fnsysctl cat /proc/net/np7lite/qtm
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-stats
fnsysctl cat /proc/net/np7lite/np7lite_0/hif-que
fnsysctl cat /proc/net/np7lite/tpe
fnsysctl cat proc/net/np7lite/np7lite_0/tse

 

This issue is fixed in Resolved issues, v7.4.8 (expected to be released half of April 2025) and v7.6.3 (expected to be released of April 2025). These release dates are subject to change.

 

Note:

Super Admin privilege is required to run 'fnsysctl' command. Otherwise, FortiGate will return an error as mentioned in this article: Technical Tip: fnsysctl command returns Unknown action 0
165
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.