Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cumpleby
New Contributor

Copying large files through the internet cauing internal Netowrk issues

Hi We have 2 Fortigate 100D in a cluster with the following firmware v5.2.11,build754 (GA).  Since this firmware, when we go to copy large files to say Dropbox or an external HTTP Storage site our internal network starts suffering.  Very high pings, Dropout of our Internal ERP system?  Has anyone else experienced this, what could be causing it?

 

Thanks

 

Chris

3 REPLIES 3
ede_pfau
Esteemed Contributor III

The question is how you connect to the external site - via IPsec? If yes, you should check that IPsec traffic is offloaded to the NP ASIC. If it is not, the CPU will likely be overloaded soon.

This is how it looks OK on my FGT (FGT 60E, v5.4.5):

gate # diag vpn ipsec status
All ipsec crypto devices in use:
NP6LITE_0
        null:   0       0
        des:    0       0
        3des:   0       0
        aes:    1670464 1905664
        aes-gcm:        0       0
        aria:   0       0
        seed:   0       0
        null:   0       0
        md5:    0       0
        sha1:   0       0
        sha256: 1670464 1905664
        sha384: 0       0
        sha512: 0       0
NPU HARDWARE
        null:   0       0
        des:    0       0
        3des:   0       0
        aes:    419966  0
        aes-gcm:        0       0
        aria:   0       0
        seed:   0       0
        null:   0       0
        md5:    0       0
        sha1:   0       0
        sha256: 419908  0
        sha384: 0       0
        sha512: 0       0
SOC3:
        null:   0       0
        des:    0       0
        3des:   0       0
        aes:    147     131
        aes-gcm:        0       0
        aria:   0       0
        seed:   0       0
        null:   0       0
        md5:    0       0
        sha1:   0       0
        sha256: 147     131
        sha384: 0       0
        sha512: 0       0
SOFTWARE:
        null:   0       0
        des:    0       0
        3des:   0       0
        aes:    0       0
        aes-gcm:        0       0
        aria:   0       0
        seed:   0       0
        null:   0       0
        md5:    0       0
        sha1:   0       0
        sha256: 0       0
        sha384: 0       0

        sha512: 0       0
You see that only the very first packets over VPN are handled by the CPU and then offloaded.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
cumpleby

Thank You for the reply.  However we are not using IPSEC.  We are connecting directly out to the internet.  It is a very strange one whenever a large file copy happens between internal to external our internal LAN starts to suffer with very large ping's and also it drops connections to our ERP system hosted through MPLS (not all connections are dropped only some)

ede_pfau
Esteemed Contributor III

still, even non-encrypted traffic usually is offloaded onto the NPlite (100D features a SoC only, not a standalone NP6).

What happens during the upload - CPU load, throughput to WAN, memory usage?

From what you describe I'd guess that CPU is overloaded so pings are dropped. The reason for this could be a misconfigured UTM profile. Please post what you are using (AV, IPS, AC, ...).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors