Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎07-23-2009 03:05 PM Edited on ‎10-05-2023 07:00 AM By Moderator

Article Id 192459

Troubleshooting Tip: Diagnose Packet Loss

Description

 

In certain circumstances a FortiGate deployment may experience higher packet loss than normal. The article describes some common reasons for this behavior. There are also recommendations on how to resolve common issues or test hardware for possible problems.


Solution

 
There are a number of factors that can cause packet loss on the FortiGate:
 
1. Incorrect speed settings on the interface.
 
Check the speed settings on each interface from the GUI by moving the mouse over the interface on System -> Status -> Unit Operation or by running the following CLI command:
 
dia hard device nic <interface name>
 
Users will be looking for a speed of 10half.  This usually means that the FortiGate was not able to negotiate the speed correctly with the device on the other side.
 
To set the speed manually, use the commands:
 
config system interface
edit <interface name>
set speed 100full
end
 
WARNING: Some vendors will turn off the interface if auto-negotiate is turned off on the FortiGate. Make sure not to be connected through the same link being changed or connection to the FortiGate may be lost.
 
2. High bandwidth usage
 
To generate bandwidth reports, make sure to have enabled logging on firewall policies.  This is done by going to Firewall -> Policy and editing the policies. Enable logging by enabling 'log allowed traffic'.

On a FortiAnalyzer, go to Report -> Config -> Layout -> Create New -> Add charts as needed.  Most users will need Traffic Volume by Direction, Top Services by Volume, Top Sources by Volume.

In Report -> Schedule -> Create New -> use the layout that was just created and select the devices (that is: FortiGates) on which to run the report. Select OK. Schedule the report or run it on demand using the 'Run now' icon on the Report -> Schedule page.

For users that do not have a FortiAnalyzer, choose to use third party application like 'FirePlotter' (www.fireplotter.com). FirePlotter is a third party application and is not covered in any way by a Fortinet support contract.
 
3. Hardware issues
 
Finally, the problem can be caused by a hardware problem.  Administrators can run a hardware test to check for any hardware problem, or problems with interfaces.
 
The hardware test is executed as follows:
 
  1. Go to the Support Portal at support.fortinet.com, login and take the Download > HQIP Images option.  The related article 'RMA Note: HQIP - Hardware Quick Inspection Package' provides information about running HQIP tests.  An outline description is also presented below.
  2. Download the HQIP diagnostics firmware Image for the FortiGate unit, and save it in the root directory of a TFTP server.
  3. Connect the PC Ethernet port to the internal interface of the FortiGate unit using a cross-over cable.
  4. Connect a PC serial port to the console port of the unit and start a terminal client application program such as Hyper terminal.
 
Set the terminal client for serial communications as follows:
Baud rate: 9600
Data: 8
Parity: none
Stop: 1
Flow Control: none
 
Set the terminal to capture output from the console and save in a text file.  After completing this test successfully (or unsuccessfully), attach this text file to a Fortinet Support ticket already opened to resolve this issue.
 
  1. Power on the FortiGate unit.  Interrupt the boot process when the 'press any key to display configuration' message is displayed on the console screen.
  2. Select G to get the firmware from the selection menu:

[G]: Get firmware image from TFTP server.

[F]: Format boot device.

[Q]: Quit menu and continue to boot with default firmware.

[H]: Display this list of options.

 

  1. Enter the IP address of the TFTP computer (both IP addresses below have to be in the same subnet).
    Enter TFTP server address [192.168.1.168]: Use the current PC IP address, or configure the PC to a static IP address of 192.168.1.168.
  2. Enter local address [192.168.1.188]: Use an IP address other than the one above, but in the same subnet.
  3. Enter the HQIP file name.
  4. When prompted with the choice to save as Default, save as Backup, or Run image without saving, Select “R” to run without saving.
  5. Attach output to the ticket.

Related articles

RMA Note: HQIP - Hardware Quick Inspection Package.

76388
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.