Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Luffy120
New Contributor

Created on ‎12-12-2022 11:17 PM Edited on ‎12-12-2022 11:59 PM

Fortigate stop answering to pings/https requests every 5minutes

 

Hi,

We have two FortiGate 200F's in HA/ Active-Standby and for example, there seems to be some issues on the network where employees cannot print something (there is a long delay of 30s-60s) via a print server in another location (connected via MPLS). So, after a little digging, there seems to be a problem with the FortiGate.

We are trying to ping each SVI on the FortiGate and after every 5 minutes (300 seconds each time, no more, no less) there seems to be a problem and the FortiGate stops responding to the ping from each of its vlan interfaces (physical mgmt. interface seems fine, no packet loss) the problem lasts for about 20-50s and goes back to normal. While the problem is occurring, we also cannot connect via SSH or HTTPS to its mgmt IP address for HA.

 

Luffy120_1-1670914767631.png

The ping was conducted somewhere from MPLS network.

If we ping from endpoint in this location to some server in MPLS network packet loss is not that big BUT it occurs in average every 5minutes. This is a big problem as this is a large warehouse and staff have lost many hours waiting and fixing errors after connection loss.

 

Right now high level design looks like this:

Luffy120_0-1670914199273.png

 

All L3 interfaces for vlans are terminated at the FortiGate, which has a default gateway set to the MPLS network.

So when someone from vlan XY wants to communicate with another location, packets will be sent as follows: Access Switch -> core -> FortiGate -> core -> MPLS

 

 

We tried connecting the PC directly to the core switch and assigning it an address for the MPLS network and a default gateway to skip the FortiGate - no problem with packet loss after that.

We also switched the HA to a second unit, checked the links and disabled LAG/Aggregate so that everything would only go over one link, but no luck.

We have about 10 other warehouses running in a similar configuration (one location with exactly the same sw core models and access switches) and no such problem.

 

Another thing is that when we connect to Fortigate via console cable and do some sniffing (diagnose debug flow) there was no traffic in debug when the problem occurs.

Below is how its looks when I connect via physical mgmt interface and run sniffter

Luffy120_2-1670915584983.png

U can see that there was some traffic, like 10-20packets/s and after that zero. But after some time and when it start working again there's packet burst

Luffy120_3-1670915643857.png

In my opinion FortiGate does not drop packets but hold them for a long time, but I don't know why. It impact application because 30-40s is sometimes to late (for ping for sure)

 

 

Right now there's no inspection in FortiGate, the whole communication is permitted.  There are one rule - to permit all traffic (rule is set in flow-based inspection)

FortiGate is connected with core switch (2x cisco C9300 48p) via Aggregate links set in mode static/on (no LACP as there was problems to making it work with that cisco model).

 

Post is a little long but without that I think there will be not enough information.

Any idea what might be wrong?

 

Fortigate version 7.2.2 but problem was also when it was in 6.4

 

Labels:
1850
0 Kudos
5 REPLIES 5
IT_Ahan2
New Contributor III

Created on ‎12-13-2022 12:05 AM

i didn't went completely through your post ..

i want to know one thing is that pinging to FortiGate ip? or its a problem with pinging on the client system IP?

1839
0 Kudos
Luffy120
New Contributor

Created on ‎12-13-2022 12:44 AM

Pings from post are to fortigate ip (SVI), we got the same model in different locations and no packet lost

1829
0 Kudos
IT_Ahan2
New Contributor III
In response to Luffy120

Created on ‎12-13-2022 03:18 AM

any IP Duplication ?

1817
0 Kudos
ITman
New Contributor

Created on ‎04-19-2023 07:44 AM

Did you ever figure out what was the problem. I am having the same issue on a Fortigate 200E the firtigate stops responding exactly every 5 miutes for about 20 seconds.

1498
0 Kudos
rtichkule
Staff
Staff

Created on ‎04-19-2023 09:02 PM

Hello,

 

There are a few potential causes if your FortiGate firewall stops responding every five minutes.

 

 

The FortiGate's system resources should be examined first. The firewall may cease functioning if its memory or CPU are exhausted. From the GUI or CLI of the FortiGate, you may check the resources.


Look through the FortiGate logs for any error or warning messages that might point to the issue's root. The CLI or GUI both provide access to the logs.

 

The FortiGate might stop responding as a result of a network problem. Make sure the network cables, switches, and routers that link to the FortiGate are in good working order.

 

BR

1487
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.