Hi pros,
I have 2x1801F ver7.0.10 HA cluster in my system.
Internal client tries to ping 8.8.8.8 with -l 10000 parameter after that Fortigate stopping all functions(routing and switching) and kills all active sessions, when we failover to secondary Fortigate it works fine. I have 3 WAN interface in SD-WAN zone and its load balancing internal sources to best effort. Also there is no jumbo frame allowed or cofigured in backbones and edge switches.
Also tried to set "mtu 1492" on all interfaces.
,tried Dos policy for internal interface
,tried session-ttl "set default 300" (reverted to default)
,tried "set tcp-halfclose-timer 30 " "set tcp-halfopen-timer 30" "set tcp-timewait-timer 0" "set udp-idle-timer 60" (reverted to default)
But all the tuning did not change anything. Also there is no meaningful error crash log in system event Any idea for root cause of this problem?
*Note: When i create deny firewall policy "icmp" "icmpv6" "ping". its fixing the problem but the solution cant be like this.
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Based on the information you have provided, it appears that the issue may be related to the size of the ICMP packets being transmitted. Since the Fortigate is stopping all functions and killing active sessions when the internal client pings 8.8.8.8 with a packet size of 10000, it's possible that the packet size is too large for the Fortigate to handle.
You mentioned that you have already tried adjusting the MTU size on all interfaces to 1492, but this did not resolve the issue. One potential solution could be to adjust the MTU size to a smaller value, such as 1400, to see if this resolves the issue.
Another potential solution could be to implement Quality of Service (QoS) policies to prioritize ICMP traffic, so that it does not cause disruption to other network functions.
It's also possible that the issue could be related to other factors, such as network congestion or misconfigured switches. It may be helpful to review the network topology and ensure that there are no other potential issues that could be contributing to the problem. Additionally, you may want to check for any firmware updates or patches that could address this issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.