Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shantilal1998
New Contributor III

Packet drop after each 14-15 minutes

Hi Guys,

 

We have replaced 800C firewall with 3501F firewall & facing packet drops after each 14-15 minutes.

 

Have troubleshooted with TAC but not found any solution till now.

 

If we connect 800C back in the production, there will no packet drops as we observed. 

 

Kindly reply with any possible solution or anything can we do for the root cause.

3 REPLIES 3
gfleming
Staff
Staff

What is the nature of the packet drops? Is it full loss of packets or intermittent? How long do they last? Does all traffic get dropped at the firewall? Or just traffic going to a specific interface? i.e. can you still access certain interfaces on the firewall when the packet drops are happening? Please provide many more details so we can possibly help.

Cheers,
Graham
Shantilal1998
New Contributor III

Hi Graham,

 

1. Is it full loss of packets or intermittent ?

-> It is intermittent.

2. How long do they last ?

-> Last till 14-15 minutes.

3. Does all traffic get dropped at the firewall ?

->No, We get almost 10 ICMP responses of echo-reply after continuous drops & We are facing    this issue from one direction only. From LAN -> DMZ network.

4. Can you still access certain interfaces on the firewall when the packet drops are happening ?

-> What do you mean by "access certain interfaces". Is it means to access the firewall itself we are not facing issue while accessing the firewall management access.

 

Hope, These are the responses of your queries.

We are suspecting the issue from switch side. It is cisco Catalyst 9300. But not sure how to check.

Kindly let me know if required more details.

 

gfleming
Staff
Staff

OK so the packet drops happen every 14-15 minutes and they last 14-15 minutes? That's an interesting pattern.....

 

If you suspect it's a switch issue, have you checked interface stats on both sides? Any drops, errors, etc?

 

Is the Catalyst 9300 connected to both LAN and DMZ interfaces or just one of those interfaces? Can you run a test where you do continuous pings from a host behind the Catalyst to one of the directly-connected FGT interfaces? So if LAN interface is connected to Catalyst ping LAN interface from host behind Catalyst. Do packet drops occur? This should pretty much help to rule out the Catalyst

Cheers,
Graham
Top Kudoed Authors