Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
asda
New Contributor

Created on ‎03-24-2024 04:29 AM

Why could heavy load will cause TCP packets out of order?

Hi every one

Is it because the first packet passes through the CPU and is confirmed, then the third packet begins to be sent to the NPU. When the traffic is low, it can be transmitted normally. Once more flow passes through, the NPU cannot receive the third packet when it is fully loaded, resulting in packet loss.

But at that time, my traffic was only 100 MB. Is the load on the NPU so low? Mine was an NP4.

Thank for your answer.

Labels:
650
0 Kudos
3 REPLIES 3
amrit
Staff
Staff

Created on ‎03-24-2024 10:32 AM Edited on ‎03-24-2024 10:48 AM

What Foritgate Model do you use?
In the case of NP7 and NP6 Platforms(Including lite versions) under heavy load situations, packet reordering problem can be handled by the following command 

config firewall policy

set delay-tcp-npu-session enable

Please read this: https://docs.fortinet.com/document/fortigate/7.4.3/hardware-acceleration/923009/preventing-packet-or...

 

In your case, you mentioned that the traffic was only 100 MB. What was the total number of sessions in the firewall? If it is internet-oriented traffic the reordering can happen due to network congestion and 0 TCP window size.

 

To verify if NPU is the problem, you can disable auto-asic offload on the policy

policy 
config firewall policy

edit <id>

set auto-asic-offload disable

end

end

If it is an Ipsec traffic, you can disable npu on phase1 and test it 
config vpn ipsec phase1-interface

edit <phase1 name>

set npu-offload disable

end

end

Amritpal Singh
624
asda
New Contributor
In response to amrit

Created on ‎03-24-2024 11:51 PM

Hi amrit

The model is 1000C and the OS is v5.4.10,and my environment is an internal network environment, did not connect internet.

And the full sessions were also small.session.png

 

To verify if NPU is the problem, you can disable auto-asic offload on the policy

Did you mean that if i disable the auto-asic,the packet will all traffic will be processed from the CPU, not the NPU.So that i can see is there any packet loss caused by NPU issues.

I will disable the auto-asic and see what going on.

Thank you very much

596
0 Kudos
pminarik
Staff
Staff

Created on ‎03-25-2024 01:04 AM

NP4 may be old, but it still has 20 Gbps throughput. 100 Mbps of generic traffic will definitely not be enough to choke it.

https://docs.fortinet.com/document/fortigate/6.0.18/hardware-acceleration/575471/network-processors-....

[ corrections always welcome ]
584
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.