Hi all,
I have a case with FortiNet but perhaps the community has some good idea's.
Recently we have migrated our routing(Dell switch) and firewall(Sophos UTM) to a FortiGate 600E cluster. Since we have migrated to the FortiGate we see on our Terminal Server vdisks a lot of retries (https://support.citrix.com/article/CTX222944).
We see this only on the networks that are routed and firewalled trough the FortiGate.
We have opend a case by the vendor (Citrix) and the told us, if the retries don't take place in the same network where the Citrix PVS machines are running, there is a network issue.
I have tested to place a network back to the switch and then we don't see any retries on the terminal servers. The problems looks te be when the traffic goes trough the FortiGate.
Anybody got the same issue or has a idea where to look?
On the FortiGate, start with the very basic troubleshooting steps:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Did you check the logs for any blocked traffic? Is the traffic passing the FortiGate unchanged?
With support we did the basic troubelshouting, and everything looks okay.
It feels like some traffic is lost in de connection, Citrix PVS is running with UDP so its difficult to see that.
Did you find a solution for this problem?
Hi Kaejoe,
We found the problem. After some more troubelshouting support saw that the NP6 chip of the unit is dropping the traffic. The cache of the chip is getting full and then drops the traffic. There is no solution in the current unit we have, we have decided the change the netwerk from ou Citrix PVS machines to our terminal serverse.
Hi Erwin
Do you know the troubleshooting commands to see if we have the same issue? Model is also a 601E. You mean you change de pvs target device to the same subnet as the pvs servers?
Hi,
Sure. You need to look at the physical interfaces, for us it was the following commands
- diagnose hardware deviceinfo nic x1
- diagnose hardware deviceinfo nic x2
- diagnose npu np6 dce-all 0
- get sys performance status
In the logging we saw:
PDQ_OSW_EHP0 and/or PDQ_OSW_EHP2
That was the indication that there is dropped traffic.
Regards
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.