Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sanderl
New Contributor III

Unreliable traffic between segments

I start a new topic while this problem is still not resolved and since the other topic about this same issue is not accurate anymore. This topic starts with a clear description of the issue including an overview of the situation.

 

This is the old topic (for reference please do not refer anymore to it to avoid confusion).

 

The network schematic:

fortiproblem2.jpg

 

the issue:

If connected wireless to ssid "test99" all is fine. No issues and superfast.

 

If connected to "ssid" clients experience weird issues.

2 examples:

1. Roblox games do not (never) load, and give an error message.

2. Downloading apps/update from google play store is terribly slow ... 1%,2%,3%...

 

I deliberately do not (yet include) and config/capture (see also previous topic).

 

extra information:

I never had any of these issue, for over ~7 years. It started after upgrading to 7.0.11. And if you read the old topic, 2 things constantly cross: software switch vs hardware switch, that issue is now gone. All is connected to 1 hardware switch and VLANs with bridged ssids.

The netgear is configured to tag VLANs on the uplink and to the FAP. furthermore there are no (known) issues in the network other than this...

 

Please help out in finding if this could be a configuration issue or bug. Thank you!

36 REPLIES 36
abarushka
Staff
Staff

Hello,

 

I would recommend to focus on roblox games first, since it is easier to troubleshoot than performance issue. You may consider to sniff traffic on client side and trace traffic towards roblox games servers. In wireshark it will be visible whether there is an issue with establishing TCP, TLS sessions or smth else.

FortiGate
sanderl
New Contributor III

I have a cap file now from a phone on vlan 10. during a start of Roblox (unsuccessful).

 

https://file.io/EZgnjTOc2N85 

gfleming

So there are dozens of attempted connections to Roblox server in the cap spanning only around 20 packets each. And every conversation/connection attempt looks pretty much the same. Some back and forth with the server and then a RST from the server after some unseen segments in the capture. 

 

Where are you capturing from? Unseen segments could be seen if sniffing on the FortiGate unless you turn off NPU offload. 


Can you try capturing again from a computer accessing Roblox?

 

Also, in looking at Roblox help documentation it states you need to have port forwarding enabled for it to work? Is that true? Do you have that configured?

 

https://en.help.roblox.com/hc/en-us/articles/203312880-General-Connection-Problems

Cheers,
Graham
sanderl
New Contributor III

Dont focus on Roblox.

 

Google Playstore has issues.

Amazon app does not work well

Google pages remain white

Other websites load badly

Wired devices and wireless devices the same.

 

And again, on VLAN 10. VLAN 99 is ok. And it started at 7.0.11.

 

Just a small list. Roblox is the stable factor always not working. 

I never heard of roblox needing port forwarding... that would also be a big problem for all those thousands of kids playing it on a simple nat modem.

 

I captured with a filter on the fortigate.

gfleming

Well most people running home networks are not using FortiGates. 99% of home networks will use UPnP to do port forwarding automatically. FortiGate of course being an enterprise firewall does not use UPnP.

 

Regarding the capture, OK so please lets get a capture from an affected endpoint. That way we know we are seeing everything. Or, disable NPU offloading and capture again. It would be interesting to see a capture for failed Amazon app, Website loadings, etc as well.

Cheers,
Graham
sanderl
New Contributor III

Roblox and all others apps and site worked wel with fortigate years (+7) prior 7.0.11 and on 7.0.11 on vlan 99 as well...

gfleming

That's great, I understand that. I'm trying to help you here. I have no idea if you had a VIP set up for Roblox or not. So that's cleared up now. But you're focusing on stuff that doesn't help us troubleshoot your problem. 

 

Please focus on the troubleshooting steps I'm requesting from you. Namely getting a new capture done....

Cheers,
Graham
sanderl
New Contributor III

Hi Graham, here you go.

2 capture files. taken on fortigate for:

 

 

 

config firewall policy
edit <policyid>
set auto-asic-offload disable

 

 

 


For policy 42 (LAN)
For policy 43 test99

 

The files:

https://file.io/Dkoj3QfNqWRE (1 file wrong - you'll see, very small :) )

EDIT:

https://file.io/yLscFuuWc7Yk

 

EDIT2: Not sure what you mean with "VIP" in asking if I had a VIP setup. But I think the answer is no.

 

EDIT3: FWIW a capture of my phone trying to update via google playstore an app which is terribly slow (on vlan10). This is very fast on vlan 99. (both via wifi).

https://file.io/iTue93bIIoi1

 

gfleming

I don't really see anything standing out in the captures. There's actually more data captured in the Roblox faulty cap file than the success one. I see RakNet packets as well which means at least to me that its progressing further than what is captured in the success capture.

 

Next steps: can we bypass the switch? Can you plug an endpoint direclty into the FortiGate hardware switch (if you need to assign another physical port to it then please do) and then get that endpoint to join VLAN 10 by tagging its traffic appropriately.


Or alternatively plug the AP directly into one of the FortiGate hardwareswitch ports and see how wifi clients in vlan 10 behave?

 

Also if you're willing please upload or securely share your full FGT config.

Cheers,
Graham
Top Kudoed Authors