|
The permanent fix is to Upgrade the FortiOS to 7.2.8 or 7.4.2 (7.0.15 is also supposed to include a fix, but is not released yet, as of the time this article is written).
However, for 400F/401F/600F/601F units, the following workaround can be used if upgrading is not an option.
(For 200F/201F These commands are only available from 7.2.8/7.4.2 or above, So those devices won’t be able to implement workaround)
diag sys mvl cli
configure
interface range ethernet 0/4-31
tail-drop packet-limit 4095 buffer-limit 65535 alpha 0.0
tail-drop-queue queue all dp all packet-limit 512 buffer-limit 4096 alpha 0.0
end
This issue is reported as Known issue 910829 (LAN to WAN poor throughput) and 965482 (SSL VPN throughput issue).
This workaround is not persistent between reboots, nor is it synchronized between HA FortiGates (i.e. the command must be applied on a per-device basis and executed again after reboot).
The workaround is safe to run during production, as it simply increases the upper-limit for the amount of shared buffer that each switch port may use. There is also no disruption to existing traffic when the commands are run.
|
