Hi,
Good day to you.
User experiencing unstable connection while going through fortigate but when bypassed from fortigate traffic is fine.
And I see many this info in wireshark between client and server or server to client when traffic going through fortigate in tcp stream.
[This frame is a (suspected) out-of-order segment]
[Previous segment(s) not captured (common at capture start)]
[This frame is a (suspected) retransmission]
Is this a potentially asymmetric or something else?
Client said there have tried to bypass UTM and all service port but still having timeout/unstable issue.
Thank you.
FW.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-27-2022 01:37 PM
Hello fiesta,
Can you please explain the upstream and downstream topology of this network?
Also, try to disable the offloading on the policy using the following command
config firewall policy
edit <policy ID>
set auto-asic-offload disable
end
Also, if there is any dual wan connection or SDWAN configured please let me know.
Hi Mohit,
Thank you for your reply.
Currently I don't have complete topology for this issue but it should be like this:
User (172.17.33.14) <-> FortiGate <-> Core <-> Server (172.28.201.80).
When bypass from FortiGate the issue is solved, but when going through FortiGate issue is persist.
There are no SDWAN configuration.
I'll try disable the offloading, thanks for suggestion.
Regards.
FW.
Hi @fiesta what is the solution for that? I have the same problem and i don't know what is the cause.
Hi, the root cause is the switch core not adding the same VLAN between their cluster, no idea what's this cluster about, but apparently when Fortigate Master restart some of the VLAN traffic still not failover to Slave, then client add the VLAN they forgot to add, and then the traffic normal again, weird but that's how it is.
thank you, in my case it was because, I have the same IP addres for 2 tunnels in ADVP, for this reason the error was presenting: [This frame is a (suspected) retransmission]
Good day !!!!
I have the same issue
client <-> FortiGate <-> R1 <-> R2 <-> R3 <-> SERVER
Iperf result
# diagnose traffictest run -c 10.0.1.27 (server)
Connecting to host 10.0.1.27, port 5201
[ 12] local 10.10.61.37 port 18982 connected to 10.0.1.27 port 5201
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 12] 0.00-1.01 sec 392 KBytes 3.16 Mbits/sec 14 33.9 KBytes
[ 12] 1.01-2.01 sec 168 KBytes 1.39 Mbits/sec 9 18.4 KBytes
[ 12] 2.01-3.03 sec 119 KBytes 955 Kbits/sec 7 12.7 KBytes
[ 12] 3.03-4.02 sec 147 KBytes 1.21 Mbits/sec 10 11.3 KBytes
[ 12] 4.02-5.02 sec 212 KBytes 1.75 Mbits/sec 1 14.1 KBytes
[ 12] 5.02-6.03 sec 76.4 KBytes 619 Kbits/sec 1 14.1 KBytes
[ 12] 6.03-7.02 sec 160 KBytes 1.32 Mbits/sec 8 12.7 KBytes
[ 12] 7.02-8.02 sec 180 KBytes 1.47 Mbits/sec 1 15.6 KBytes
[ 12] 8.02-9.03 sec 366 KBytes 2.97 Mbits/sec 9 31.1 KBytes
[ 12] 9.03-10.02 sec 349 KBytes 2.89 Mbits/sec 20 33.9 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 12] 0.00-10.02 sec 2.12 MBytes 1.77 Mbits/sec 80 sender
[ 12] 0.00-10.02 sec 2.09 MBytes 1.75 Mbits/sec receiver
iagnose traffictest run -R -c 10.0.1.27
Connecting to host 10.0.1.27, port 5201
Reverse mode, remote host 10.0.1.27 is sending
[ 12] local 10.10.61.37 port 21815 connected to 10.0.1.27 port 5201
[ ID] Interval Transfer Bandwidth
[ 12] 0.00-1.01 sec 512 KBytes 4.15 Mbits/sec
[ 12] 1.01-2.01 sec 512 KBytes 4.19 Mbits/sec
[ 12] 2.01-3.00 sec 2.81 MBytes 23.8 Mbits/sec
[ 12] 3.00-4.02 sec 839 KBytes 6.74 Mbits/sec
[ 12] 4.02-5.02 sec 210 KBytes 1.72 Mbits/sec
[ 12] 5.02-6.00 sec 2.05 MBytes 17.5 Mbits/sec
[ 12] 6.00-7.00 sec 3.29 MBytes 27.6 Mbits/sec
[ 12] 7.00-8.00 sec 4.19 MBytes 35.0 Mbits/sec
[ 12] 8.00-9.01 sec 789 KBytes 6.41 Mbits/sec
[ 12] 9.01-10.00 sec 2.24 MBytes 19.0 Mbits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth
[ 12] 0.00-10.00 sec 17.6 MBytes 14.8 Mbits/sec sender
[ 12] 0.00-10.00 sec 17.6 MBytes 14.8 Mbits/sec receiver
The connection between server to fortigate OSPF
Looks like traffic shaper or bandwidth limiter issue on R1/R2/R3.
OSPF as per my knowledge, OSPF will look for different path if cost and speed is higher, TCP will not change route, UDP seems able to do so (correct me if i'm wrong).. probably will user different route if there are multiple sessions.. try static to make sure.. or do bypass cable client <> R1 <> R2 <> R3 <> server
after bypass Fortinet
Scenario 1 - application and speed fine
All traffic goes to R3( Internet And Application)
client <> R4<> R1 <> R2 <> R3 <> server
Scenario 2 - replace R4 to FortiGate Connect internet to FortiGate then application became slow
Internet traffic and Application diverted by fortigate
client <-> FortiGate <-> R1 <-> R2 <-> R3 <-> SERVER
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.