Fortinet black logo

Handbook

Troubleshooting traffic shaping

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:173541
Download PDF

You can use the following troubleshooting tips to diagnose traffic shapers and determine whether they're working correctly.

Verifying Ethernet statistics for network interfaces

To optimize traffic shaping performance, ensure that the Ethernet statistics for the network interfaces don't show errors, collisions, or buffer overruns. To see traffic statistics, enter the following command in the FortiGate CLI:

diagnose hardware deviceinfo nic <interface_name>

If the Ethernet statistics show that there are issues, adjust the settings for the FortiGate and the routers, or other devices that are connected to the FortiGate.

Once the Ethernet statistics are clean, you may want to use only some of the QoS techniques on the FortiGate or configure them differently.

Viewing information about traffic shapers

You can use diagnose commands to verify the configuration and flow of traffic, including packet loss due to traffic shaping. These diagnose commands support both IPv4 and IPv6.

Viewing information about ToS traffic

To view information about the ToS lists and traffic, enter the following CLI command:

diagnose sys tos-based-priority

You can see the priority value that's currently associated with each possible ToS bit value. Priority values are displayed in the order of their corresponding ToS bit values, from lowest to highest. The values range from 0 to 15.

For example, if you configured ToS-based priorities, the following result is displayed:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This shows that all packets are currently using the same default priority, which is high (0).

If you configured a ToS-based priority of low (2) for packets with a ToS bit value of 3, the result displays a 0 for packets using the default priority and a 2 for packets with a ToS bit value of 3. The following shows an example output:

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

Viewing information about shared policy traffic shapers

To view information about shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper traffic-shaper list

Information about all available shared policy traffic shapers is displayed. The following shows an example output:

name medium-priority

maximum-bandwidth 131072 KB/sec

guaranteed-bandwidth 50000 KB/sec

current-bandwidth 0 B/sec

priority 3

tos ff

packets dropped 0

bytes dropped 0

To view the total number of shared policy traffic shapers on the FortiGate, enter the following CLI command:

diagnose firewall shaper traffic-shaper state

To view summary statistics for the shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper traffic-shaper stats

The following shows an example output:

shapers 9 ipv4 0 ipv6 0 drops 0

Viewing information about per-IP traffic shapers

To view information about per-IP traffic shapers, enter the following CLI command:

diagnose firewall shaper per-ip-shaper list

Information about all available per-IP traffic shapers is displayed. The following shows an example output:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 0

To view the total number of per-IP traffic shapers on the FortiGate, enter the following CLI command:

diagnose firewall shaper per-ip-shaper state

To view summary statistics for the per-IP traffic shapers, enter the following CLI command:

diagnose firewall shaper per-ip-shaper stats

The following shows an example output:

memory allocated 3 packet dropped: 0

To clear the per-ip traffic shaper statistics and start a new diagnosis, enter the following CLI command:

diagnose firewall shaper per-ip-shaper clear

Viewing dropped packet counters

You can verify if packets were discarded by viewing dropped packet counters for each type of traffic shaper.

To view dropped packet counters for shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper {traffic-shaper | per-ip-traffic-shaper} list

The following shows an example output for shared policy traffic shapers:

name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec

guaranteed-bandwidth 25 Kb/sec

current-bandwidth 51 Kb/sec

priority 3

dropped 1291985

To view dropped packet counters for per-IP traffic shapers, enter the following CLI command:

the diagnose firewall shaper per-ip-shaper list

The following shows an example output for per-IP traffic shapers:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 3264220

Viewing discarded packets that exceeded diagnosing limits

You can use debug flow diagnostics commands to see when a packet has exceeded the diagnose firewall shaper limits and was discarded.

To view discarded packets that exceeded diagnosing limits, enter the following CLI commands:

diagnose debug flow show console enable

diagnose debug flow filter addr 10.143.0.5

diagnose debug flow trace start 1000

The following shows an example output:

id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."

id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"

id=20085 trace_id=11 msg="exceeded shaper limit, drop"

Viewing details for dual traffic shapers in the session list

The session list output shows when a security policy has a different traffic shaper for each direction.

To view the session list output, enter the following CLI command:

diagnose sys session list

The following shows an example output:

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock

flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec

reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec

ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0

hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)

hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

You can use the following troubleshooting tips to diagnose traffic shapers and determine whether they're working correctly.

Verifying Ethernet statistics for network interfaces

To optimize traffic shaping performance, ensure that the Ethernet statistics for the network interfaces don't show errors, collisions, or buffer overruns. To see traffic statistics, enter the following command in the FortiGate CLI:

diagnose hardware deviceinfo nic <interface_name>

If the Ethernet statistics show that there are issues, adjust the settings for the FortiGate and the routers, or other devices that are connected to the FortiGate.

Once the Ethernet statistics are clean, you may want to use only some of the QoS techniques on the FortiGate or configure them differently.

Viewing information about traffic shapers

You can use diagnose commands to verify the configuration and flow of traffic, including packet loss due to traffic shaping. These diagnose commands support both IPv4 and IPv6.

Viewing information about ToS traffic

To view information about the ToS lists and traffic, enter the following CLI command:

diagnose sys tos-based-priority

You can see the priority value that's currently associated with each possible ToS bit value. Priority values are displayed in the order of their corresponding ToS bit values, from lowest to highest. The values range from 0 to 15.

For example, if you configured ToS-based priorities, the following result is displayed:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

This shows that all packets are currently using the same default priority, which is high (0).

If you configured a ToS-based priority of low (2) for packets with a ToS bit value of 3, the result displays a 0 for packets using the default priority and a 2 for packets with a ToS bit value of 3. The following shows an example output:

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

Viewing information about shared policy traffic shapers

To view information about shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper traffic-shaper list

Information about all available shared policy traffic shapers is displayed. The following shows an example output:

name medium-priority

maximum-bandwidth 131072 KB/sec

guaranteed-bandwidth 50000 KB/sec

current-bandwidth 0 B/sec

priority 3

tos ff

packets dropped 0

bytes dropped 0

To view the total number of shared policy traffic shapers on the FortiGate, enter the following CLI command:

diagnose firewall shaper traffic-shaper state

To view summary statistics for the shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper traffic-shaper stats

The following shows an example output:

shapers 9 ipv4 0 ipv6 0 drops 0

Viewing information about per-IP traffic shapers

To view information about per-IP traffic shapers, enter the following CLI command:

diagnose firewall shaper per-ip-shaper list

Information about all available per-IP traffic shapers is displayed. The following shows an example output:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 0

To view the total number of per-IP traffic shapers on the FortiGate, enter the following CLI command:

diagnose firewall shaper per-ip-shaper state

To view summary statistics for the per-IP traffic shapers, enter the following CLI command:

diagnose firewall shaper per-ip-shaper stats

The following shows an example output:

memory allocated 3 packet dropped: 0

To clear the per-ip traffic shaper statistics and start a new diagnosis, enter the following CLI command:

diagnose firewall shaper per-ip-shaper clear

Viewing dropped packet counters

You can verify if packets were discarded by viewing dropped packet counters for each type of traffic shaper.

To view dropped packet counters for shared policy traffic shapers, enter the following CLI command:

diagnose firewall shaper {traffic-shaper | per-ip-traffic-shaper} list

The following shows an example output for shared policy traffic shapers:

name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec

guaranteed-bandwidth 25 Kb/sec

current-bandwidth 51 Kb/sec

priority 3

dropped 1291985

To view dropped packet counters for per-IP traffic shapers, enter the following CLI command:

the diagnose firewall shaper per-ip-shaper list

The following shows an example output for per-IP traffic shapers:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 3264220

Viewing discarded packets that exceeded diagnosing limits

You can use debug flow diagnostics commands to see when a packet has exceeded the diagnose firewall shaper limits and was discarded.

To view discarded packets that exceeded diagnosing limits, enter the following CLI commands:

diagnose debug flow show console enable

diagnose debug flow filter addr 10.143.0.5

diagnose debug flow trace start 1000

The following shows an example output:

id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."

id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"

id=20085 trace_id=11 msg="exceeded shaper limit, drop"

Viewing details for dual traffic shapers in the session list

The session list output shows when a security policy has a different traffic shaper for each direction.

To view the session list output, enter the following CLI command:

diagnose sys session list

The following shows an example output:

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock

flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec

reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec

ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0

hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)

hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0