"MAC0 IP" Error on NP2 hardware

Some or all network interfaces appear to drop certain packets from specific applications, such as VMWare ESX clusters and Nortel Alteon application switches.

The "MAC0 IP Error" counter for the network interface may also increment, which you can view using the following diagnostic CLI command:

# diag hardware deviceinfo nic AMC-SW1\/1

            Driver Name: NP2

            Version: 0.92

            .

            .

            .

            MAC0 IP Error: 231

This issue only affects Fortinet products with NP2 hardware accelerated network interfaces.

• FortiGate-3016B, FortiGate-620B, FortiGate-310B
• FortiGate-ASM-FB4, FortiGate-ADM-FB8 and FortiGate-ADM-XB2 AMC modules

This issue occurs when network applications produce frames not conforming to the IEEE 802.3 3.2.7 specification. According to that specification, if padding has been applied in an Ethernet frame, the length of the frame should be exactly 64 bytes, the minimum frame length for Ethernet. Frames that both are longer than the minimum frame length and contain padding are not conforming to the specification, and are therefore dropped by NP2 interfaces.

Typically, you might observe this issue with TCP SYN or SYN-ACK signals, where frames require padding. UDP packets are generally not affected, as the packet is greater or equal to minimum frame length, and therefore does not require padding to meet the minimum frame length.

Network applications/hardware known to produce non-conforming frames include:

• VMware ESX clusters running 3.01, 3.02 (resolved in ESX 3.5)
  
  There is a patch available on VMware's web site for older code versions:

  http://www.vmware.com/support/esx25/doc/esx-253-200606-patch.html

• Nortel Alteon Application switches
  Model 2424 running 23.0.4

  It is currently not known if there is a fix for the Alteon's behavior with regard to the frame padding.

• Nortel Optical Metro 5200 running 8.0
• Cisco IP phones
• Foundry 4G-SSL