Troubleshooting traffic shaping
This chapter outlines some troubleshooting tips and steps to diagnose the shapers and whether they are working correctly. These diagnose commands include:
- diagnose system tos-based-priority
- diagnose firewall shaper traffic-shaper
- diagnose firewall per-ip-shaper
- diagnose debug flow
Interface diagnosis
To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:
diagnose hardware deviceinfo nic <port_name>
Shaper diagnose commands
There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed shaper.
All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.
ToS command
Use the following command to list command to view information of the ToS lists and traffic.
diagnose system tos-based-priority
This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.
For example, if you have not configured ToS-based priorities, the following appears…
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
…reflecting that all packets are currently using the same default priority, high (value 0).
If you have configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears…
0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0
…reflecting that most packets are using the default priority value, except those with a ToS bit value of 3.
Shared shaper
To view information for the shared traffic shaper for security policies enter the command
diagnose firewall shaper traffic-shaper list
The resultant output displays the information on all available shapers. The more shapers available the longer the list. For example:
name Throughput
maximum-bandwidth 1200000 Kb/sec guaranteed-bandwidth 50000 Kb/sec current-bandwidth 0 B/sec
priority 1
packets dropped 0
Additional commands include:
diagnose firewall shaper traffic-shaper state – provides the total number of traffic shapers on the FortiGate unit.
diagnose firewall shaper traffic-shaper stats – provides summary statistics on the shapers.
Sample output looks like the following:
shapers 9 ipv4 0 ipv6 0 drops 0
Per–IP shaper
To view information for the per-IP shaper for security policies enter the command
diagnose firewall shaper per-ip-shaper list
The resultant output displays the information on all available per-IP shapers. The more shapers available the longer the list. For example:
name accounting_group
maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 0
Additional commands include:
diagnose firewall shaper per-ip-shaper state – provides the total number of per-ip shapers on the FortiGate unit.
diagnose firewall shaper per-ip-shaper stats – provides summary statistics on the shapers.
Sample output looks like the following:
memory allocated 3 packet dropped: 0
You can also clear the per-ip statistical data to begin a fresh diagnoses using:
diagnose firewall shaper per-ip-shaper clear
Packet loss with statistics on shapers
For each shaper there are counters that allow to verify if packets have been discarded. To view this information, in the CLI, enter the command diagnose firewall shaper. The results will look similar to the following output:
diagnose firewall shaper traffic-shaper list name limit_GB_25_MB_50_LQ
maximum-bandwidth 50 Kb/sec guaranteed-bandwidth 25 Kb/sec current-bandwidth 51 Kb/sec priority 3 dropped 1291985
The diagnose command output is different if the shapers are configured either per-policy or shared between policies.
For per-IP the output would be:
diagnose firewall shaper per-ip-shaper list
name accounting_group
maximum-bandwidth 200000 Kb/sec maximum-concurrent-session 55 packet dropped 3264220
Packet lost with the debug flow
When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:
diagnose debug flow show console enable diagnose debug flow filter addr 10.143.0.5 diagnose debug flow trace start 1000
id=20085 trace_id=11 msg=”vd-root received a packet(proto=17, 10.141.0.11:3735-
>10.143.0.5:5001) from port5.”
id=20085 trace_id=11 msg=”Find an existing session, id-0000eabc, original direction” id=20085 trace_id=11 msg=”exceeded shaper limit, drop”
Session list details with dual traffic shaper
When a Security Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI:
diagnose system session list
session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock flag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec ha_id=0 hakey=44020
policy_dir=0 tunnel=/
state=may_dirty rem os rs
statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2
orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0 hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80) hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80) pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0
Additional Information
- Packets discarded by the shaper impact flow-control mechanisms like TCP. For more accurate testing results prefer UDP protocol.
- Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
- Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the “outbandwidth” parameter on the interfaces. For more information see Bandwidth guarantee, limit, and priority interactions on page 2468.
- The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS based prioritizing can be made at ingress. For more information see Traffic shaping methods on page 2476.