we have fortigate 1500D Series with HA configuration (active standby), currently port31 used by our company as uplink to ISP for 1Gbps connection link. The problem is sometimes that port become unreachable and down for several seconds from the event log it show like this :
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @bhamdani ,
As I have understood, you are observing port31 is flapping.
Could you check the duplex/speed settings on both sides of the interface connection? (port31 and peer device interface).
Also, try to change the patch cable between them and observed afterward.
CRC errors seeing FortiGate don't imply that the firewall is causing the issue, it indicates that the firewall is failing to match the FCS value with the packets received.
FCS (Frame Check Sequence) field contains a 4-byte CRC value used for error checking. When a source host assembles a packet, it performs a CRC calculation on all fields in the packet except the Preamble, SFD (Start Frame Delimiter), and FCS using a predetermined algorithm. The source host stores the value in the FCS field and transmits it as part of the packet. When the packet is received by the destination host, it performs a CRC test again by using the same algorithm. If the CRC value calculated at the destination host does not match the value in the FCS field, the destination host discards the packet, considering this as a CRC Error.
Created on 05-08-2023 06:54 PM Edited on 05-08-2023 07:13 PM
Hi @chauhans
Thank you for replying this post, below the result when we check port31 :
==================Fortigate Side==========================
Admin :up
netdev status :up
link_autonego :1
link_setting :1
link_speed :1000
link_duplex :0
link_fec :0
Speed :1000
Duplex :Full
link_status :Up
rx_link_status :0
int_phy_link :0
local_fault :0
local_warning :0
remote_fault :0
=====================================================
from ISP side using mikrotik router :
hi Bhamdani,
Could you check what is the destination you are trying to reach in the performance SLA where you called the interface port31. Once you double click on the log you should be able to see the performance SLA which is actually bringing the interface down.
Could you please check:
+ what is the destination you have defined in the performance SLA
+ what is the protocol you are using in the performance SLA
+ If it is HTTP, could you try with ICMP and also try to change the destination for any other public IP
Thank you!
Hi @tthrilok,
Regarding performance SLA we set it as follow :
destination address: dns ip google -> 8.8.8.8
protocol : icmp
Hi bhamdani,
Have you configured the DoS policy in your FortiGate??
What is the SLA Target of your SD-WAN?
Does it comply with your DoS Policy?
Kind Regards,
Bijay Prakash Ghising
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.