Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itservices2
New Contributor

Created on ‎01-19-2015 03:43 AM

Fortigate 60D throughput issue after firmware change

Greetings,

 

we moved the firmware to 5.0.10 from 5.0 and then to 5.2.2. Internet wasn't working on 5.2.2, hence downgraded back to 5.0.10. ALl seem to work fine except that the internet is very slow. Have a 100 mb connection, however getting very close to 1mb hardly.

 

Have two wan lines, Wan1 leased line for email traffic and wan2 ( adsl) for internet. Fortigate is connected to a ASA and from asa via switch the internet network.

 

Any advice on what needs to be checked is highly appreciated.

 

have tried connecting separately to a laptop from the line and speed is ok. also did a diag deviceinfo command on wan2 for adsl and didn't see any packet errors in the output result.

 

 

checked the routing policy. seems the fortigate is taking only single route and that is to the leased line only. The adsl is not being used at all. How can I detect adsl route on the firewall and set the distance and priority .

6112
0 Kudos
2 Solutions
emnoc
Esteemed Contributor III

Created on ‎01-19-2015 08:20 AM

Good to see some one using  diag debug flow .

 

For starters can we get the following outputs?

 

 

get router policy

get router info kernel

get router  info routing-table all

 

 

But basically you can set the route priority of two like routes via the  cli

 

config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  10 next edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  15 end   The later would not be active in the route table. The get router kernel will quickly show the priorities   get router info  kernel  | grep -v prio=0  

 Thanks and has been corrected

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2190
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-19-2015 09:18 AM

You've got to set the distance parameter on both routes equal, e.g. to 10.

This way, both default routes will show up in the Routing Monitor and thus usable.

 

For the ADSL line (wan2) I assume that wan2 is configured for PPPoE. Then the distance (and priority) parameters are set in the interface setup, not with the routes.

You can always check both distance and priority in the Routing Monitor (enable the Priority column to show in the Column setup). Of course, if the route is not active you cannot see and compare it.

 

Next, set the priority of the preferred WAN line lower than on the less preferred line ("priority" in Fortinet speak means "cost"). Thus, all traffic will prefer only one default route.

 

Now with wan2 having a lower priority there will be no traffic using wan1 voluntarily. That's OK. To force traffic out one interface even in contradiction to static routes you need to create a Policy Route for this traffic. In your case, email traffic is using special "well known" ports on TCP (for POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS). Get these and configure Policy Routes specifying this traffic to leave on wan1.

 

That's all.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
2190
0 Kudos
4 REPLIES 4
itservices2
New Contributor

Created on ‎01-19-2015 07:43 AM

hi, the traffic is going through wan1 and wan2 is not being utilized at all. did a diag debug flow and packet sniffer to confirm. how can I rectify this.this is what I did :

 

Unplugged wan1, wan2 static route gets automatically added and shows distance of 0, 0. and when I plug back wan1, the distance is 1 and priority is 0, .how can I make the distance same for both and change the wan2 to lower priority and wan1 to higher. and have the policy based route used.

 

all internet traffic gets natted to x.x.44.249 and should go tto wan2. that's the policy route. and everything else should go to wan1. however not working

2128
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-19-2015 08:20 AM

Good to see some one using  diag debug flow .

 

For starters can we get the following outputs?

 

 

get router policy

get router info kernel

get router  info routing-table all

 

 

But basically you can set the route priority of two like routes via the  cli

 

config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  10 next edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  15 end   The later would not be active in the route table. The get router kernel will quickly show the priorities   get router info  kernel  | grep -v prio=0  

 Thanks and has been corrected

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2191
0 Kudos
Christopher_McMullan
Staff
Staff
In response to emnoc

Created on ‎01-19-2015 08:37 AM

No technical complaints with the substance of your post, emnoc - just a literary nag pointing out a typo:

you mean 'next' instead of 'end' to modify sequential route entries.

 

Aside from that, follow what emnoc says! (that's always good advice)

 

Good to see some one using  diag debug flow .

 

For starters can we get the following outputs?

 

 

get router policy

get router info kernel

get router  info routing-table all

 

 

But basically you can set the route priority of two like routes via the  cli

 

config router static edit 1 set device wan1 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  10 end edit 2 set device wan2 set gateway 111.111.111.11 set dst 10.0.0.0 24 set priority  15 end The later would not be active in the route table. The get router kernel will quickly show the priorities get router info  kernel  | grep -v prio=0

 

Regards, Chris McMullan Fortinet Ottawa

2128
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎01-19-2015 09:18 AM

You've got to set the distance parameter on both routes equal, e.g. to 10.

This way, both default routes will show up in the Routing Monitor and thus usable.

 

For the ADSL line (wan2) I assume that wan2 is configured for PPPoE. Then the distance (and priority) parameters are set in the interface setup, not with the routes.

You can always check both distance and priority in the Routing Monitor (enable the Priority column to show in the Column setup). Of course, if the route is not active you cannot see and compare it.

 

Next, set the priority of the preferred WAN line lower than on the less preferred line ("priority" in Fortinet speak means "cost"). Thus, all traffic will prefer only one default route.

 

Now with wan2 having a lower priority there will be no traffic using wan1 voluntarily. That's OK. To force traffic out one interface even in contradiction to static routes you need to create a Policy Route for this traffic. In your case, email traffic is using special "well known" ports on TCP (for POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS). Get these and configure Policy Routes specifying this traffic to leave on wan1.

 

That's all.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2191
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.