Flapping uplink connection

bhamdani · ‎05-07-2023

we have fortigate 1500D Series with HA configuration (active standby), currently port31 used by our company as uplink to ISP for 1Gbps connection link. The problem is sometimes that port become unreachable and down for several seconds from the event log it show like this :

and then we checked hardware port from cli, there is error like this :

============ Counters ===========
Rx_Internal_Mac_Errors:24
Rx_CRC_Errors :22

on the otherside, from ISP they said that there is not link failure on their side. is anyone ever had the same problem? what could be the problem and how to solved this problem.

Thank you

laper bikin mager

chauhans · ‎05-07-2023

Hi @bhamdani ,

As I have understood, you are observing port31 is flapping.

Could you check the duplex/speed settings on both sides of the interface connection? (port31 and peer device interface).
Also, try to change the patch cable between them and observed afterward.

CRC errors seeing FortiGate don't imply that the firewall is causing the issue, it indicates that the firewall is failing to match the FCS value with the packets received.
FCS (Frame Check Sequence) field contains a 4-byte CRC value used for error checking. When a source host assembles a packet, it performs a CRC calculation on all fields in the packet except the Preamble, SFD (Start Frame Delimiter), and FCS using a predetermined algorithm. The source host stores the value in the FCS field and transmits it as part of the packet. When the packet is received by the destination host, it performs a CRC test again by using the same algorithm. If the CRC value calculated at the destination host does not match the value in the FCS field, the destination host discards the packet, considering this as a CRC Error.

bhamdani · ‎05-08-2023

Hi @chauhans

Thank you for replying this post, below the result when we check port31 :

==================Fortigate Side==========================

Admin :up
netdev status :up
link_autonego :1
link_setting :1
link_speed :1000
link_duplex :0
link_fec :0
Speed :1000
Duplex :Full
link_status :Up
rx_link_status :0
int_phy_link :0
local_fault :0
local_warning :0
remote_fault :0

=====================================================

from ISP side using mikrotik router :

status

link speed option :

laper bikin mager

tthrilok · ‎05-08-2023

hi Bhamdani,

Could you check what is the destination you are trying to reach in the performance SLA where you called the interface port31. Once you double click on the log you should be able to see the performance SLA which is actually bringing the interface down.

Could you please check:

+ what is the destination you have defined in the performance SLA

+ what is the protocol you are using in the performance SLA

+ If it is HTTP, could you try with ICMP and also try to change the destination for any other public IP

Thank you!

bhamdani · ‎05-08-2023

Hi @tthrilok,

Regarding performance SLA we set it as follow :

destination address: dns ip google -> 8.8.8.8

protocol : icmp

laper bikin mager

Bjay_Prakash_Ghising · ‎05-08-2023

Hi bhamdani,

Have you configured the DoS policy in your FortiGate??

What is the SLA Target of your SD-WAN?

Does it comply with your DoS Policy?

Kind Regards,

Bijay Prakash Ghising

Ghising

bhamdani · ‎05-08-2023

Hi @Bjay_Prakash_Ghising,

Currently we have not configure DoS policy.

Thank you

laper bikin mager