Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fiesta
New Contributor III

Traffic going through fortigate unstable often timeout, but not when bypassed from fortigate

Hi,

 

Good day to you.

 

User experiencing unstable connection while going through fortigate but when bypassed from fortigate traffic is fine.

And I see many this info in wireshark between client and server or server to client when traffic going through fortigate in tcp stream.

 

[This frame is a (suspected) out-of-order segment]

[Previous segment(s) not captured (common at capture start)]

[This frame is a (suspected) retransmission]

 

Is this a potentially asymmetric or something else?

Client said there have tried to bypass UTM and all service port but still having timeout/unstable issue.

Thank you.
FW.

FWD~
FWD~
12 REPLIES 12
Anonymous
Not applicable

Hello fiesta,

 

Can you please explain the upstream and downstream topology of this network?

 

Also, try to disable the offloading on the policy using the following command

 

config firewall policy

edit <policy ID>
set auto-asic-offload disable

end

 

Also, if there is any dual wan connection or SDWAN configured please let me know.

 

fiesta
New Contributor III

Hi Mohit,

Thank you for your reply.

Currently I don't have complete topology for this issue but it should be like this:
User (172.17.33.14) <-> FortiGate <-> Core <-> Server (172.28.201.80).
When bypass from FortiGate the issue is solved, but when going through FortiGate issue is persist.

There are no SDWAN configuration.

 

I'll try disable the offloading, thanks for suggestion.

 

Regards.

FW.

FWD~
FWD~
theroghert
New Contributor

Hi @fiesta what is the solution for that? I have the same problem and i don't know what is the cause.

fiesta
New Contributor III

Hi, the root cause is the switch core not adding the same VLAN between their cluster, no idea what's this cluster about, but apparently when Fortigate Master restart some of the VLAN traffic still not failover to Slave, then client add the VLAN they forgot to add, and then the traffic normal again, weird but that's how it is.

FWD~
FWD~
theroghert

thank you, in my case it was because, I have the same IP addres for 2 tunnels in ADVP, for this reason the error was presenting: [This frame is a (suspected) retransmission]

azmadhussain
New Contributor

Good day !!!!

I have the same issue 

 

client <-> FortiGate <-> R1 <-> R2 <-> R3 <-> SERVER

azmadhussain

Iperf result 

# diagnose traffictest run -c 10.0.1.27 (server)
Connecting to host 10.0.1.27, port 5201
[ 12] local 10.10.61.37 port 18982 connected to 10.0.1.27 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 12] 0.00-1.01 sec 392 KBytes 3.16 Mbits/sec 14 33.9 KBytes
[ 12] 1.01-2.01 sec 168 KBytes 1.39 Mbits/sec 9 18.4 KBytes
[ 12] 2.01-3.03 sec 119 KBytes 955 Kbits/sec 7 12.7 KBytes
[ 12] 3.03-4.02 sec 147 KBytes 1.21 Mbits/sec 10 11.3 KBytes
[ 12] 4.02-5.02 sec 212 KBytes 1.75 Mbits/sec 1 14.1 KBytes
[ 12] 5.02-6.03 sec 76.4 KBytes 619 Kbits/sec 1 14.1 KBytes
[ 12] 6.03-7.02 sec 160 KBytes 1.32 Mbits/sec 8 12.7 KBytes
[ 12] 7.02-8.02 sec 180 KBytes 1.47 Mbits/sec 1 15.6 KBytes
[ 12] 8.02-9.03 sec 366 KBytes 2.97 Mbits/sec 9 31.1 KBytes
[ 12] 9.03-10.02 sec 349 KBytes 2.89 Mbits/sec 20 33.9 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 12] 0.00-10.02 sec 2.12 MBytes 1.77 Mbits/sec 80 sender
[ 12] 0.00-10.02 sec 2.09 MBytes 1.75 Mbits/sec receiver

 

iagnose traffictest run -R -c 10.0.1.27
Connecting to host 10.0.1.27, port 5201
Reverse mode, remote host 10.0.1.27 is sending
[ 12] local 10.10.61.37 port 21815 connected to 10.0.1.27 port 5201
[ ID] Interval Transfer Bandwidth
[ 12] 0.00-1.01 sec 512 KBytes 4.15 Mbits/sec
[ 12] 1.01-2.01 sec 512 KBytes 4.19 Mbits/sec
[ 12] 2.01-3.00 sec 2.81 MBytes 23.8 Mbits/sec
[ 12] 3.00-4.02 sec 839 KBytes 6.74 Mbits/sec
[ 12] 4.02-5.02 sec 210 KBytes 1.72 Mbits/sec
[ 12] 5.02-6.00 sec 2.05 MBytes 17.5 Mbits/sec
[ 12] 6.00-7.00 sec 3.29 MBytes 27.6 Mbits/sec
[ 12] 7.00-8.00 sec 4.19 MBytes 35.0 Mbits/sec
[ 12] 8.00-9.01 sec 789 KBytes 6.41 Mbits/sec
[ 12] 9.01-10.00 sec 2.24 MBytes 19.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 12] 0.00-10.00 sec 17.6 MBytes 14.8 Mbits/sec sender
[ 12] 0.00-10.00 sec 17.6 MBytes 14.8 Mbits/sec receiver

 

 

The connection between server to fortigate OSPF

fiesta
New Contributor III

Looks like traffic shaper or bandwidth limiter issue on R1/R2/R3.

 

OSPF as per my knowledge, OSPF will look for different path if cost and speed is higher, TCP will not change route, UDP seems able to do so (correct me if i'm wrong).. probably will user different route if there are multiple sessions.. try static to make sure.. or do bypass cable client <> R1 <> R2 <> R3 <> server

FWD~
FWD~
azmadhussain

after bypass Fortinet 

Scenario 1 - application and speed fine

All traffic goes to R3( Internet And Application)

client <> R4<> R1 <> R2 <> R3 <> server

 

 

 

Scenario 2 - replace R4 to FortiGate Connect internet to FortiGate   then application became slow

Internet traffic and Application diverted by fortigate

client <-> FortiGate <-> R1 <-> R2 <-> R3 <-> SERVER

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors