- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internet Drop Outs after Fortinet Install
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internet Drop Outs after Fortinet Install
After Fortinet Firewall install we experienced Internet and network dropouts and got a report showing horrible dropouts, latency, lost packets, through the roof. What could cause? Do I need higher bandwidth from my ISP? A report showed the ISP may be cutting me off due to increased bandwidth use. I never had the problem with the other firewalls. How can the Fortinet be generating that much more bandwidth? All other hardware, configurations and applications have not changed. Only the Firewall.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Without further details about the fgt model/firmware/ISP (WAN) connection, brief network layout, I going to say check the duplex/speed on the WAN connect to the ISP's gateway/modem device. eg. from the CLI enter diagnose hardware deviceinfo nic <WAN interface)
The output should look similar to this:
# diagnose hardware deviceinfo nic wan1 Description Intel(R) Gigabit Ethernet Network Driver Driver_Name igb Driver_Version 5.0.6 PCI_Vendor 8086 PCI_Device_ID 1533 PCI_Subsystem_Vendor ffff PCI_Revision_ID 0003 PCI_Bus 5 PCI_Slot 0 MAC_Type 6 PCI_Bus_Type PCI-E PCI_Bus_Speed 2.5Gb/s PCI_Bus_Width Width x1 IRQ 16 System_Device_Name wan1 Current_HWaddr 90:6c:ac:3e:dx:xx Permanent_HWaddr 90:6c:ac:3e:dy:yy Link up Speed 1000 Duplex full FlowControl current:0/requested:3 Interrupt mode MSI-X Rx queue(s) 1 Tx queue(s) 1 Rx_Packets 42064231 Tx_Packets 32484440 Rx_Bytes 50613981859 Tx_Bytes 4808163593 Rx_Errors 0 Tx_Errors 0 Rx_Dropped 0 Tx_Dropped 0 Multicast 445470 Collisions 0 Rx_Length_Errors 0 Rx_Over_Errors 0 Rx_CRC_Errors 0 Rx_Frame_Errors 0 Rx_FIFO_Errors 0 Rx_Missed_Errors 0 Tx_Aborted_Errors 0 Tx_Carrier_Errors 0 Tx_FIFO_Errors 0 Tx_Heartbeat_Errors 0 Tx_Window_Errors 0 Tx_Single_Collision_Frames 0 Tx_Multiple_Collision_Frames 0 Tx_Deferred 0 Rx_Frame_Too_Longs 0 Rx_Frame_Too_Shorts 0 Rx_Align_Errors 0 Rx_Flow_Control_XON 0 Rx_Flow_Control_XOFF 0 Tx_Flow_Control_XON 0 Tx_Flow_Control_XOFF 0 Rx_Control_Unknown_Opcodes 0 PHY_Media_Type 1 max_frame_size 1522 CTRL 00100241 STATUS 00280783 TXCW 00000000 RXCW 00000000 avd/ctrl 0de1/0200 Check the output for (RX/TX and other) errors. If there are errors/drops, wait a awhile then perform the diag test again to see if the error counters increase.
If you need to set/force the speed/duplex on an interface, use:
config system interface edit "<WAN interface name>" set speed <value> next end Where speed value is auto Automatically adjust speed. 10full 10M full-duplex. 10half 10M half-duplex. 100full 100M full-duplex. 100half 100M half-duplex. 1000full 1000M full-duplex.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it was working fine before, I would say mostlikely a duplex mismatch or two, either or both WAN side interface to the ISP's device and LAN side interface to a switch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a report I can generate to see what my historical duplex and speed settings have been on the Fortinet firewall? Is there a report to show past or current duplex mismatches?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know the historical part unless it's managed by FortiManager. But duplex mismatch needs to be determine by checking 1) what's configure on both side, 2) what both sides ended up using if negotiated, then 3) if both sides are not matching in 2) it's a "mismatch".
For fortigate you can see, or not see, what's configured in the interface config. By default it's "auto/auto". If anything else hard-coded you would see like "set 1000full". To check what it ended up using is in "diag hard deviceinfo nic INTERFACE_NAME" like below:
xxx-fg1 # diag hard device nic internal1 Description :FortiASIC NP6LITE Adapter Driver Name :FortiASIC NP6LITE Driver Board :60E lif id :3 lif oid :67 netdev oid :67 Current_HWaddr 00:09:0f:09:fe:02 Permanent_HWaddr 70:4c:a5:bc:38:bb ========== Link Status ========== Admin :up netdev status :up autonego_setting:1 link_setting :0 speed_setting :10 duplex_setting :0 Speed :1000 Duplex :Full link_status :Up ============ Counters =========== Rx Pkts :456459759 Rx Bytes :398650410228 Tx Pkts :337365528 Tx Bytes :69211843305 Host Rx Pkts :390926245 Host Rx Bytes :9857764254 Host Tx Pkts :275627811 Host Tx Bytes :8101527118 Host Tx dropped :0
You need to check the same on the other side of the cable. In case if you can't check or suspect what the other party, like an ISP, is NOT telling the truth, you should set "auto/auto" then check what your FGT ended up using. For the speed there is a way to detect without negotiation so even if the other end is hard-coded it would match. However, duplex can't be detected without negotiation. So FGT side should end up with "half". Then you now know you have to hard-code on FGT side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
During a maintenance window, I would suggest running through all the speed options and see what works. This will bypass what the ISP may or may not tell you. Also, if you connect at half duplex, your speed will be appreciably slower.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correction to my last post:
wrong: set 1000full
correct: set seed 1000full
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:correct: set speed 1000full, unless you are sowing crops....correction to my last post:
wrong: set 1000full
correct: set seed 1000full
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your correction to my correction. I appreciate it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the great information. I will check if there is a FortiManager tracking history so we can reference.
Chief firewall tech had told me new faster ISP would be solution.
I switched ISP but the problem remained.
Here is the pattern: we reset or reinstall device and there are no problems, all looks good. Then over 24-72 hours speeds dive and dropouts increase until unusable. This happened across devices: when the Fortinet firewall was first installed replacing the functioning existing firewall, when the VOIP router was replaced as part of troubleshooting, and when we got the new faster ISP service and modem. Same pattern. The new service went from blazing to below 56k-modem performance.
Does this point to duplex mismatches or perhaps something else? I know the Firewall tech was troubleshooting with traffic shaping, for example.
Where I stand now: After new ISP didn't solve, Firewall tech appeared and resolved problem quickly, even though his colleagues had been working on it for days prior with no success. Problem has not resurfaced in the weeks since. The tech will not tell me what he did to fix it (I can guess to cover error or incompetence). I want to know so it won't happen again. I will ask about FortiManager monitoring and logs. Insight?
Related Posts
Labels
-
FortiGate
6,494 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.