Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
naltor
New Contributor

Created on ‎08-26-2015 01:24 AM

UDP traffic works TCP doesn´t....

Hi there,

I have a problem with TCP traffic. I have only one rule: permit any any. When I try to send UDP traffic through the firewall everything is fine. 4mbps of UDP traffic ends with a result of 4mbps inbound/outbound.

The problem appears with TCP traffic. If I try to send 4mbps of TCP traffic I get in the source interface 110 kbps-inbound and 2.3mbps traffic-out, which doesn't make sense to me...

I´m monitoring the traffic in the firewall port where the traffic comes from...

I have others firewalls with same config and same firmware v5.0.6 and everything works fine...

I have no errors in the traffic flow, the session is stablished and the firewall policy allows the traffic...

Any idea?

Thanks

5596
0 Kudos
6 REPLIES 6
gschmitt
Valued Contributor

Created on ‎08-26-2015 03:34 AM

Do you have any policy routes as Router > Static > Policy routes?

Since you said "any" I assume you have had the device for a longer time and kept updating it (since it's called ALL now)

Check your any object at Policy&Objects > Objects > Services

Is it set to Protocol Type: IP

Protocol Number: 0

?

 

3016
0 Kudos
naltor
New Contributor
In response to gschmitt

Created on ‎08-26-2015 03:41 AM

Hi gschmitt!!

Yes, everything is ok with the config. I checked this out and everything is fine...

diagnose debug flow filter daddr x.x.x.x

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

diag debug enable

 

I´m thinking about hardware problems... There is no errors in the interfaces... So weird... First time this happened to me...

 

3016
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎08-26-2015 05:41 AM

hi,

 

from the traffic history plot it looks like the FGT is applying UTM in proxy mode - there is a short delay between incoming and outgoing traffic. I assume traffic is not lost - you would have mentioned. You can test this e.g. with an FTP transfer.

 

Could you please post the policy in the CLI ("config firewall policy", "show full")?

 

Another topic is the version of FortiOS you are using. Get away from v5.0.6 as soon as possible. For one, it's vulnerable to the SSL bug. The current version/patch is v5.0.12. Read the Release Notes and follow the upgrade path (upgrade to v5.0.10 first IIRC). It might well be that the situation clears up after the upgrade.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3016
0 Kudos
naltor
New Contributor
In response to ede_pfau

Created on ‎08-26-2015 05:47 AM

Hi ede_pfau,

 

I don´t have access to the firewall right now but there isn´t any UTM profile configured in this policy. I checked this...

 

I agree about the Firmware version, but it isn´t related to this issue because we have others firewalls with same config/firmware working properly... :)

 

Thanks!!

3016
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎08-26-2015 08:11 AM

IMHO your wasting your time trying to compare  performance of UDP vrs TCP, you have so many variable that you have to  think about and none have anything todo with the firewall imho

 

e.g ( just a few )

 

 

 >MSS

 >SYN /SYN-ACK delay

 > segment ACK

 > tcp window buffer

 > SACK  or non-SACK

 > tcp large window-scale

 > window/unix/linux/etc...

etc....

 

No way would I try to compare the performance of  UDP vrs TCP ( layer4  ) , you have so many variable that would make big  difference in many case. Btw all of the above variable listed above doesn't apply to UDP, hence this is why UDP is always faster than TCP. repeat a transfer with  UDP will always be faster than any positive acknowledgement  delivery.

 

Hey Ede, I'm trying to find a good bier in Amsterdam , Prost.

 

ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3016
0 Kudos
naltor
New Contributor

Created on ‎09-10-2015 12:55 AM

Hi guys,

 

It wasn´t Fortigate fault... The network traffic generator wasn´t working properly!! 

 

Thanks!!

3016
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.