Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎02-26-2024 01:36 PM

FortiOS 7.4.3 incorrect interface utilization for SNMP on ipsec interfaces

fortiAfter upgrading to 7.4.3 my 1100E is doing something wrong when answering requests for ifoutoctets on ipsec interfaces.

Occassionaly Delta for out octets is way too high which shows an ipsec tunnel on a 40Gig interface at 90+ percent utilization while the physical 40Gig interface is reporting correctly.

 

 

Labels:
508
0 Kudos
11 REPLIES 11
Kangming
Staff
Staff

Created on ‎02-26-2024 02:35 PM Edited on ‎02-26-2024 02:36 PM

Hi 

What model of device are you using?
Can you provide a screenshot? Is there any SNMP OID information?

Thanks

Kangming

476
0 Kudos
aguerriero
Contributor II
In response to Kangming

Created on ‎02-26-2024 03:30 PM

The device is an 1100E. Physical interface is 4x 10gbe interfaces as an aggregate. The tunnel uses that interface as a source.

This is the MIB being monitored right after clearing the counters on the interfaces. Eventually there will be major spikes in the tx octets along with my snmp management system issuing an alert for utilization above 90 percent.

Doing another poll directly for the ifoutoctet mib will show considerably more octets transmitted out of the tunnel than across the physical interface.

This has run fine for the last 3-4 years and it has only started happening right after upgrade to 7.4.3.

Index 73 is the physical interface. Index 56 is the ipsec interface.

Captureinitial.PNG

458
0 Kudos
Kangming
Staff
Staff
In response to aguerriero

Created on ‎02-26-2024 04:04 PM

Thanks for your feedback.

 

If you can share your configuration file, I will be able to reproduce it in the lab. If it can be reproduced and confirmed to be an issue, I will submit the bug to Dev for investigation, my email is: kmliu@fortinet.com, thanks!

Thanks

Kangming

454
aguerriero
Contributor II
In response to Kangming

Created on ‎03-01-2024 05:01 PM

7.2.7 works fine.

we are planning to migrate all features that 7.4.X provides, to a different hardware vendor that also provides those features.

416
0 Kudos
BillH_FTNT
Staff
Staff
In response to aguerriero

Created on ‎04-10-2024 05:34 PM

 

Hi Aguerriero

 

I have tested your issue in my 2 FGT1101E. However, in my lab, I got the normal result, which was reported from 2 interfaces quite equally. You can check my picture in the attachment. 

For your case, can you do this :

Step 1. Clear counters in 2 interfaces and checking by commands:

Diagnose netlink interface list port33 ! (Physical)

diagnose netlink interface list SNMP_Test 

   !(IPsec VPN)

diagnose netlink interface clear port33

diagnose netlink interface clear SNMP_Test

diagnose netlink interface list port33

diagnose netlink interface list SNMP_Test

step 2. Get snmpwalk or visually them in PRTG/Cacti 

 

Regards

Bill

SNMP in Physical vs Ipsec vpn.PNG

169
BillH_FTNT
Staff
Staff
In response to BillH_FTNT

Created on ‎04-10-2024 05:37 PM

Hi Aguerriero,

It would be a big help if you could share your configuration with us. We can reproduce the issue in our lab the same way you have. My email is bhoang@fortinet.com. You can send it to me or Kangming. Thanks

Regards

Bill

167
aguerriero
Contributor II
In response to BillH_FTNT

Created on ‎04-10-2024 06:24 PM Edited on ‎04-10-2024 06:26 PM

Did you see my post before this? It wasn't on one of the 40G interfaces. It was 4x 10g interfaces in an LACP aggregate. The aggregate was the source of the ipsec tunnel.

The utilization reported just fine on the aggregate. The ipsec interface utilization is what reported high.

We moved the 1100E HA pair back to 7.2 on 3-21-2024 and there have been zero issues with SNMP utilization events since.

156
0 Kudos
BillH_FTNT
Staff
Staff
In response to aguerriero

Created on ‎04-10-2024 08:55 PM

Hi Aguerriero,

I read your post carefully before testing it. Sometimes, just a minor configuration could trigger an issue. Therefore, it is a big help if you can share your configuration. If you cannot share it, we still try to re-test it to find the issue. Thanks

Bill

126
BillH_FTNT
Staff
Staff
In response to aguerriero

Created on ‎04-11-2024 02:30 PM

Hi Aguerriero, We retested your case in Agg interfaces. The result from the IPsec tunnel vs. the Agg interface reported the same result for SNMP. 

Do you have any special configuration in Aggregate Interface? What is your SPF type? 

Thanks

 

SNMP Agg vs IPsec1.png

 

 

107
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.