Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wever
New Contributor II

Fortigate -> Traffic shaper -> Fortigate issue

Hi,


Setup

I use a Fortigate 60E (WAN Router) to split our internet connection to a 2nd location.
On the 2nd location we also have a Fortigate 60E.
I used a traffic shaper on the WAN Router to limit there speed to 100Mbit.

Both run FortiOS 6.2.10

 

The Issue:
On the 2nd location for one reason or another, 1 user can use up 100% of that 100MBit during a download.
Any other device at that point will not be able to internet untill the download is done.
Has anyone seen this before? it feels like the 2nd Fortigate doesn't know the line speed, even though I set the Estimated Bandwidth to 100000 kbps.

 

I don't understand why its not balancing the connection.

1 Solution
Toshi_Esumi
Esteemed Contributor II

Many unknowns for your set up.

- You didn't mention if location2's internet need to go through location1. I assume it does because of the diagram.

- Then, why is the max-bandwidth is set 100Mbps (BTW, bps(bit per seconds) is not counted by x1024. That's for memory size "Bytes")? Supposed to limit down to like 50Mbps or much less not to max out the 100Mbps pipe allocated between two locations.

- As in a part of the cookbook Vando posted, the per-IP shaper needs to be applied to "shaping-policy", which affect to both directions unlike shared shapers.

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/885253/per-ip-traffic-shaper

- In the shaping-policy, It's supposed to be applied to the traffic coming in/going out the pipe/interface, which has the hard limit of 100Mbps (a VPN?). Not the internal DMZ interface  (I mean you still need to specify the IP of the device as the source/desitnation but don't have to specify the inside interface. You could though).

 

I recommend you read the cookbook again.

 

Toshi

View solution in original post

12 REPLIES 12
Vando_Pereira

Hello,

 

Have you checked the traffic shaping policy to see if it's configured properly ?

Is it applied in the LAN or WAN interface ?

Maybe the user is somehow able to passthrough the policy, and consume all the available bandwidth.

This link will help you to see if something is wrong:

If its all as you intended, we can do a debug flow to see what is happening behind the curtains. 

 

Best regards.

 

As you think, so shall you become.
Wever
New Contributor II

Hi,


We have a 1000MBps internet speed on the WAN router.
We should be fine there.

We created a VLAN on de DMZ poort with a /24 subnet.
location 2 got 1 fixed IP and we applied a By IP Traffic Shaper on that IP adres

The idea is that if we get a 3rd building we can give that a fixed IP in the same subnet with a By IP Shaped as well.

Looking through the Cookbook it looks fine.
Still think its because the Fortigate at the 2nd location doesn't know there is a 100MBit limit.

Vando_Pereira

Ok, I'm starting to understand the situation.

So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ? and is there just 1 user that is able to by pass the shaping policy ?

Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ? Just to be sure.

 

  • diagnose sys session list -> to see if the shaper is applied to the location 2 sessions.
  • diagnose debug flow -> to see what happens when traffic from location 2 goes through the firewall.

Best regards.

As you think, so shall you become.
Wever
New Contributor II

So you have the Per-IP traffic shaping applied on the F60E that splits your internet access ?
Correct

and is there just 1 user that is able to by pass the shaping policy?

No, the shaper is applied on Location 2, the user can use 100MBps max, just leaving none of the 100MBps for the internet radio for example. The internet radio at Location 2 just stops and resumes after the download.

Have you tried to use some of the debug commands to see if the sessions coming from the location 2 have the shaper applied to it ?
Yes, the shapper applied, i will check the debug flow again.

Wever
New Contributor II

Wever_1-1646746249595.png

Hope this helps, Both routers are 60E's

Vando_Pereira

Sure does, thank you for that, it helps to have a more clear picture.

 

Are you using DSCP ? in the traffic shaper ?

 

 

As you think, so shall you become.
Wever
New Contributor II

We have no DSCP applied on the Traffic Shaper

Vando_Pereira

Ok just wanted to check, can you see anything in the debugs ?

As you think, so shall you become.
Toshi_Esumi
Esteemed Contributor II

And, @Wever , please share us the shaper and shaping-policies using the shaper in CLI.

 

Toshi