Im currently on FortiOS 7.2.8.
Traffics are being dropped by FortiGate when asic-offload is enabled. To work this out, we are currently set the asic-offload to disable but this is not a long term solution.
Is this a bug on 7.2.8?
https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/236526/known-issues
Does this issue will be resolved in what FortiOS? 7.4.x or 7.2.x ?
Appreciate your feedback.
TIA :)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can at least recreate the situation relatively easily if you temporarily disable "override" (if you have it enabled) and run a command "diag sys ha reset-uptime".
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/666653/primary-unit-selection-with-overr...
You probably want to do it in a maintenance window.
Redundant interface is different from HA but maybe they have the same mechanism in NP6Xlite. But TAC can tell you if it's the same cause when you open a ticket and ask them to get it evaluated.
Toshi
Hi,
It would be a big help if you could share more details about your situation :
- What is your device version?
- What is the traffic flow of the issue? Simple topo
- Please share the policy detail
- Do you use sdwan?
- Please share the "dia sys session list" related to the issue traffic (flows)
- Please share the sniffer output or mirror somewhere in your network
- Please share the output of NPU, for example, with NP7 "dia npu np7 dce-drop-all ".
...
Regards
Bill
Hi martyyy,
Can you provide your hardware model? We can identify the NPU Chip that you have based on the model. Do you have a packet shaper enabled? You may try to disable it for isolation.
Hi,
Please check if packets are UDP and getting fragmented
if yes, then follow this kb article:https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-Identify-UDP-NTurbo-fragmentation-d...
if not then please share the hardware model and packet capture
Regards
Rajan Kohli
Hi,
Just curious on what your ultimate fix for this was? Did you end up upgrading to 7.4?
I'm running into a similar issue on 7.2.8 where TCP traffic stops passing through the Fortigates. When I 'set auto-asic-offload disable' the issue clears. I can replicate my scenario when I see a large increase in sessions over a short period of time.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.