Im currently on FortiOS 7.2.8.
Traffics are being dropped by FortiGate when asic-offload is enabled. To work this out, we are currently set the asic-offload to disable but this is not a long term solution.
Is this a bug on 7.2.8?
https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues
Does this issue will be resolved in what FortiOS? 7.4.x or 7.2.x ?
Appreciate your feedback.
TIA :)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can at least recreate the situation relatively easily if you temporarily disable "override" (if you have it enabled) and run a command "diag sys ha reset-uptime".
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-overr...
You probably want to do it in a maintenance window.
Redundant interface is different from HA but maybe they have the same mechanism in NP6Xlite. But TAC can tell you if it's the same cause when you open a ticket and ask them to get it evaluated.
Toshi
Are you looking at 860460? That involves "a redundant interface". Or 869978? Which involves CAPWAP.
In the end, you have to open a case at TAC to get your situation evaluated to match one of known issues if it's caused by a bug. Then, there maybe a workaround TAC can tell you to try. If no matching, you need to get a bug report created, which you can't do through this community/forum.
Toshi
@martyyy ,
I would start with identifying the nature of impact. Is it affecting all traffic? Some type of traffic? Specific policy? Based on that we could narrow down what the issue is and work through a solution.
It is happening on a redundant interface. This interface does not involve CAPWAP tunnel traffic.
The redundant interface is a Layer3 interface (no Layer2)
The firewall is in HA mode and it only happens when we failover to the redundant firewall.
So it's more an HA issue with NPU. What is your model/NPU type? NP7? It's not in the releasenotes under known issues/HA.
Toshi
Currenly the model is FG101F. Im seeing this bug ID which might be related.
860460 - On a redundant interface, traffic may drop with some NPU-offload enabled policies when the interface is not initialized properly.
It resolved in FortiOS 7.4.2.
https://docs.fortinet.com/document/fortigate/7.4.2/fortios-release-notes/289806
The issue is not reproduceable since it only happens when we failover to the redundant firewall.
Does upgrading to 7.4.2 will resolve the issue?
Thank you :)
You can at least recreate the situation relatively easily if you temporarily disable "override" (if you have it enabled) and run a command "diag sys ha reset-uptime".
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-overr...
You probably want to do it in a maintenance window.
Redundant interface is different from HA but maybe they have the same mechanism in NP6Xlite. But TAC can tell you if it's the same cause when you open a ticket and ask them to get it evaluated.
Toshi
Created on 08-12-2024 06:49 PM Edited on 08-12-2024 06:49 PM
Hi @martyyy ,
It looks very likely that you are running into the bug that you mentioned here. It does affect the 101F and for redundant interface on the backup unit.
Hi @martyyy,
Do you have HA pair? I would suggest to open a case with TAC for bug verification to better troubleshooting.
The firewall is in HA mode and it only happens when we failover to the redundant firewall.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.