FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 24 - Traffic Shaping > Troubleshooting traffic shaping

Troubleshooting traffic shaping

This chapter outlines some troubleshooting tips and steps to diagnose the shapers and whether they are working correctly. These diagnose commands include:

  • diagnose sys tos-based-priority
  • diagnose firewall shaper traffic-shaper
  • diagnose firewall per-ip-shaper
  • diagnose debug flow

Interface diagnosis

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

Shaper diagnose commands

There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed shaper.

All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.

ToS command

Use the following command to list command to view information of the ToS lists and traffic.

diagnose sys tos-based-priority

 

This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.

For example, if you have not configured ToS-based priorities, the following appears...

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

 

...reflecting that all packets are currently using the same default priority, high (value 0).

If you have configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears...

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

 

...reflecting that most packets are using the default priority value, except those with a ToS bit value of 3.

Shared shaper

To view information for the shared traffic shaper for security policies enter the command

diagnose firewall shaper traffic-shaper list

 

The resultant output displays the information on all available shapers. The more shapers available the longer the list. For example:

name Throughput

maximum-bandwidth 1200000 Kb/sec

guaranteed-bandwidth 50000 Kb/sec

current-bandwidth 0 B/sec

priority 1

packets dropped 0

 

Additional commands include:

diagnose firewall shaper traffic-shaper state - provides the total number of traffic shapers on the FortiGate unit.

diagnose firewall shaper traffic-shaper stats - provides summary statistics on the shapers. Sample output looks like the following:

shapers 9 ipv4 0 ipv6 0 drops 0

Per-IP shaper

To view information for the per-IP shaper for security policies enter the command

diagnose firewall shaper per-ip-shaper list

 

The resultant output displays the information on all available per-IP shapers. The more shapers available the longer the list. For example:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 0

 

Additional commands include:

diagnose firewall shaper per-ip-shaper state - provides the total number of per-ip shapers on the FortiGate unit.

diagnose firewall shaper per-ip-shaper stats - provides summary statistics on the shapers. Sample output looks like the following:

memory allocated 3 packet dropped: 0

 

You can also clear the per-ip statistical data to begin a fresh diagnoses using:

diagnose firewall shaper per-ip-shaper clear

Packet loss with statistics on shapers

For each shaper there are counters that allow to verify if packets have been discarded. To view this information, in the CLI, enter the command diagnose firewall shaper. The results will look similar to the following output:

diagnose firewall shaper traffic-shaper list

name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec

guaranteed-bandwidth 25 Kb/sec

current-bandwidth 51 Kb/sec

priority 3

dropped 1291985

 

The diagnose command output is different if the shapers are configured either per-policy or shared between policies.

For per-IP the output would be:

diagnose firewall shaper per-ip-shaper list

 

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 3264220

Packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the shaper limits and therefor discarded:

diagnose debug flow show console enable

diagnose debug flow filter addr 10.143.0.5

diagnose debug flow trace start 1000

 

id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."

id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"

id=20085 trace_id=11 msg="exceeded shaper limit, drop"

Session list details with dual traffic shaper

When a Security Policy has a different traffic shaper for each direction, it is reflected in the session list output from the CLI:

diagnose sys session list

 

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock

flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec

reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec

ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0

hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)

hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

Additional Information

  • Packets discarded by the shaper impact flow-control mechanisms like TCP. For more accurate testing results prefer UDP protocol.
  • Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
  • Do not oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it is required to set the “outbandwidth” parameter on the interfaces. For more information see .
  • The FortiGate unit is not prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS based prioritizing can be made at ingress. For more information see Differentiated Services.