Having an issue where SSL-VPN traffic is limited to about 20Mbps. After multiple rounds with TAC they don't call it an issue, but more of a limitation. The issue seems relegated to any platform with the NP6 and is not limited to any version of code. Is anyone else seeing a similar issue? TAC seems to want to say that it is only for 10G to 1G interface bound traffic, but it is also visible on 1G to 1G interfaces.
Highlights:
Regarding your first question, when traffic goes from 10 Gig interface to 1 Gig interface, it causes the congestion at the egress on the QSGMII interface of the NP (which means the 1G interfaces on this platform) and this is represented by TX_XPX_QFULL counter increase. This also impact traffic from other interfaces that is egressing through port1. Therefore, even though SSLVPN terminated on Internet VDOM, it still would be impacted.
After testing this in lab and discussing with QA engineer, to stop the NP6 drops, there are three methods suggested, that are as follow:
a) Configure shortcut mode under NPU setting so that TCP and IPSEC traffic is not offloaded when gong from 10 gig to 1 gig. b) Configure LAG interfaces on WAN interface. c) Have the traffic flow from 10 Gig to 10 Gig instead of 10 Gig to 1 Gig.
We already have tested the first two methods and it did not resolved the issue. Therefore now to stop the NP6 drop, we have to use 10 Gig on WAN side.
It’s not a known issue but more of a limitation and to overcome the limitation you can optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces . Due to NP6 internal packet buffer limitations, some offloaded packets received at a 10Gbps interface and destined for a 1Gbps interface can be dropped, reducing performance for TCP and IP tunnel traffic.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
May be this is a bug: (Bug ID:910829 Degraded traffic bandwidth for download passing from 10G to 1G interfaces.)
If your firewall’s firmware is below 7.0.15, updating it can be helpful.
Reference link below:
https://docs.fortinet.com/document/fortigate/7.0.15/fortios-release-notes/289806/resolved-issues
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.