Description | This article describes steps to identify if unknown multicast traffic is causing high CPU on FortiSwitch. |
Scope | FortiSwitch. |
Solution |
High traffic on the FortiSwitch can lead to high CPU and memory usage, especially with multicast or broadcast traffic.
Refer to these articles for more information: Technical Tip: Investigate high CPU usage on FortiSwitch Troubleshooting Tip: FortiSwitch high memory usage troubleshooting guide Troubleshooting Tip: IGMP Snooping not working on FortiSwitch
How to identify if multicast traffic is causing high CPU:
FortiSwitch# fnsysctl top (ctrl+c to stop)
FortiSwitch# diag sys top-sockmem
FortiSwitch# fnsysctl top -n 3 -d 3 -b (ctrl+c to stop)
PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
FortiSwitch# diagnose sniffer packet any "" 6 0 a
2024-09-16 11:49:07.369289 __port__1 in 802.1Q vlan#1 P0 -- 10.10.51.93.5353 -> 224.0.0.251.5353: udp 915 2024-09-16 11:49:07.579764 internal in 10.11.12.149.56710 -> 239.255.255.249.1900: udp 175
As seen in the above output, 239.x.x.x and 224.x.x.x multicast addresses hitting the FortiSwitch on vlan1 port1.
Note that there is a limitation with 1xxF FortiSwitch: Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FortiSwitch-124F, FortiSwitch-124F-POE, FortiSwitch-124F-FPOE, FortiSwitch-148F, FortiSwitch-148F-POE, and FortiSwitch-148F-FPOE models. Refer to this document: IGMP snooping.
FortiSwitch# diagnose debug application mcast-snooping -1 FortiSwitch# diag debug console timestamp enable FortiSwitch# diag debug enable
Received message type IGMP_HOST_MEMBERSHIP_QUERY port1 vlan1
The above output shows igmp/multicast query hitting port1 on vlan1.
Disable the debug after 10 minutes.
FortiSwitch# diag debug disable FortiSwitch# diag debug reset
Actions to take:
FortiSwitch# config switch acl ingress |