FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
sachitdas_FTNT
Article Id 347569
Description This article describes steps to identify if unknown multicast traffic is causing high CPU on FortiSwitch.
Scope FortiSwitch.
Solution

High traffic on the FortiSwitch can lead to high CPU and memory usage, especially with multicast or broadcast traffic.

 

Refer to these articles for more information:

Technical Tip: Investigate high CPU usage on FortiSwitch

Troubleshooting Tip: FortiSwitch high memory usage troubleshooting guide

Troubleshooting Tip: IGMP Snooping not working on FortiSwitch

 

How to identify if multicast traffic is causing high CPU:

 

  • Check the top processes.

 

FortiSwitch# fnsysctl top    (ctrl+c to stop)

207 1 0 RN 52984 11% 0 86% /bin/igmpsnoopingd    <-  igmp-snooping process is going high which signifies multicast packets.

 

FortiSwitch# diag sys top-sockmem   


igmpsnoopingd (207): 1487kB

 

FortiSwitch# fnsysctl top -n 3 -d 3 -b     (ctrl+c to stop)

 

PID PPID USER STAT VSZ %VSZ CPU %CPU COMMAND
207 1 0 RN 52984 11% 0 100% /bin/igmpsnoopingd

 

  • Once the identified multicast traffic is causing a high CPU on FortiSwitch, collect a sniffer on the internal interface to check the multicast IP address and what port the multicast address is hitting.

 

FortiSwitch# diagnose sniffer packet any "" 6 0 a

 

2024-09-16 11:49:07.369289 __port__1 in 802.1Q vlan#1 P0 -- 10.10.51.93.5353 -&gt; 224.0.0.251.5353: udp 915

2024-09-16 11:49:07.579764 internal in 10.11.12.149.56710 -&gt; 239.255.255.249.1900: udp 175

 

As seen in the above output,  239.x.x.x and 224.x.x.x multicast addresses hitting the FortiSwitch on vlan1 port1.

 

Note that there is a limitation with 1xxF FortiSwitch: Multicast addresses with a destination of 239.x.x.x will flood within the VLAN. This issue affects the FortiSwitch-124F, FortiSwitch-124F-POE, FortiSwitch-124F-FPOE, FortiSwitch-148F, FortiSwitch-148F-POE, and FortiSwitch-148F-FPOE models.

Refer to this document: IGMP snooping.

 

  • Collect mcast application debug to verify.

FortiSwitch# diagnose debug application mcast-snooping -1

FortiSwitch# diag debug console timestamp enable

FortiSwitch# diag debug enable

 

Received message type IGMP_HOST_MEMBERSHIP_QUERY port1 vlan1
igmp_query_get_sendingport: port-map:1ffffffffffff4
mcast_flood_query: Flood Query on vlan_id =1, port-map:1ffffffffffff4

 

The above output shows igmp/multicast query hitting port1 on vlan1.

 

Disable the debug after 10 minutes.

 

FortiSwitch# diag debug disable

FortiSwitch# diag debug reset

 

Actions to take:

 

  • Enable igmp-snooping on vlan1.
  • Once identified which multicast address is causing the issue, use ACL to drop the multicast packets on the FortiSwitch uplink port (in this example, it is port1) as a workaround and avoid using 239.x.x.x multicast address in the network if FortiSwitch 1xxF are deployed.

FortiSwitch# config switch acl ingress
    edit 2
        config action
            set count enable
            set drop enable
        end
        config classifier
            set dst-ip-prefix 224.0.0.0 255.0.0.0
        end
        set ingress-interface "port1"
    next
    edit 3
        config action
            set count enable
            set drop enable
        end
        config classifier
            set dst-ip-prefix 239.0.0.0 255.0.0.0
        end
        set ingress-interface "port1"
    next
end