Troubleshooting traffic shaping

This chapter outlines some troubleshooting tips and steps to diagnose the traffic shapers and whether they're working correctly. These diagnose commands include:

  • diagnose sys tos-based-priority
  • diagnose firewall shaper traffic-shaper
  • diagnose firewall per-ip-shaper
  • diagnose debug flow

Interface diagnosis

To optimize traffic shaping performance, first ensure that the network interface’s Ethernet statistics are clean of errors, collisions, or buffer overruns. To check the interface, enter the following diagnose command to see the traffic statistics:

diagnose hardware deviceinfo nic <port_name>

Traffic shaper diagnose commands

There are specific diagnose commands you can use to verify the configuration and flow of traffic, including packet loss due to the employed traffic shaper.

All of these diagnose troubleshooting commands are supported in both IPv4 and IPv6.

ToS command

Use the following command to list command to view information of the ToS lists and traffic:

diagnose sys tos-based-priority

 

This example displays the priority value currently correlated with each possible ToS bit value. Priority values are displayed in order of their corresponding ToS bit values, which can range between 0 and 15, from lowest ToS bit value to highest.

For example, if you configured ToS-based priorities, the following appears:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

 

This reflects that all packets are currently using the same default priority, high (value 0).

If you configured a ToS-based priority of low (value 2) for packets with a ToS bit value of 3, the following appears:

0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0

 

This reflects that most packets are using the default priority value, except those with a ToS bit value of 3.

Shared traffic shaper

To view information for the shared traffic shaper for security policies, enter the command:

diagnose firewall shaper traffic-shaper list

 

The resulting output displays the information on all available traffic shapers. The more traffic shapers that are available, the longer the list. For example:

name Throughput

maximum-bandwidth 1200000 Kb/sec

guaranteed-bandwidth 50000 Kb/sec

current-bandwidth 0 B/sec

priority 1

packets dropped 0

 

Additional commands include:

diagnose firewall shaper traffic-shaper state - provides the total number of traffic shapers on the FortiGate.

diagnose firewall shaper traffic-shaper stats - provides summary statistics on the shapers. Sample output looks like the following:

shapers 9 ipv4 0 ipv6 0 drops 0

Per-IP traffic shaper

To view information for the per-IP traffic shaper for security policies, enter the command:

diagnose firewall shaper per-ip-shaper list

 

The resulting output displays the information on all available per-IP traffic shapers. The more traffic shapers that are available, the longer the list. For example:

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 0

 

Additional commands include:

diagnose firewall shaper per-ip-shaper state - provides the total number of per-ip traffic shapers on the FortiGate.

diagnose firewall shaper per-ip-shaper stats - provides summary statistics on the traffic shapers. Sample output looks like the following:

memory allocated 3 packet dropped: 0

 

You can also clear the per-ip statistical data to begin a fresh diagnosis using:

diagnose firewall shaper per-ip-shaper clear

Packet loss with statistics on traffic shapers

For each traffic shaper there are counters that allow you to verify if packets have been discarded. To view this information, enter the diagnose firewall shaper command in the CLI. The results look similar to the following output:

diagnose firewall shaper traffic-shaper list

name limit_GB_25_MB_50_LQ

maximum-bandwidth 50 Kb/sec

guaranteed-bandwidth 25 Kb/sec

current-bandwidth 51 Kb/sec

priority 3

dropped 1291985

 

The diagnose command output is different if the diagnose firewall shapershapers are configured either per-policy or shared between policies.

For per-IP the output is:

diagnose firewall shaper per-ip-shaper list

 

name accounting_group

maximum-bandwidth 200000 Kb/sec

maximum-concurrent-session 55

packet dropped 3264220

Packet lost with the debug flow

When using the debug flow diagnostic command, there is a specific message information that a packet has exceed the diagnose firewall shapershaper limits and therefore discarded:

diagnose debug flow show console enable

diagnose debug flow filter addr 10.143.0.5

diagnose debug flow trace start 1000

 

id=20085 trace_id=11 msg="vd-root received a packet(proto=17, 10.141.0.11:3735->10.143.0.5:5001) from port5."

id=20085 trace_id=11 msg="Find an existing session, id-0000eabc, original direction"

id=20085 trace_id=11 msg="exceeded shaper limit, drop"

Session list details with dual traffic shaper

When a security policy has a different traffic shaper for each direction, it's reflected in the session list output from the CLI:

diagnose sys session list

 

session info: proto=6 proto_state=02 expire=115 timeout=3600 flags=00000000 sock

flag=00000000 sockport=0 av_idx=0 use=4

origin-shaper=Limit_25Mbps prio=1 guarantee 25600/sec max 204800/sec traffic 48/sec

reply-shaper=Limit_100Mbps prio=1 guarantee 102400/sec max 204800/sec traffic 0/sec

ha_id=0 hakey=44020

policy_dir=0 tunnel=/

state=may_dirty rem os rs

statistic(bits/packets/allow_err): org=96/2/1 reply=0/0/0 tuples=2

orgin->sink: org pre->post, reply pre->post dev=2->3/3->2 gwy=10.160.0.1/0.0.0.0

hook=pre dir=org act=dnat 192.168.171.243:2538->192.168.182.110:80(10.160.0.1:80)

hook=post dir=reply act=snat 10.160.0.1:80->192.168.171.243:2538(192.168.182.110:80)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=00011e81 tos=ff/ff app=0 dd_type=0 dd_rule_id=0

Additional information

  • Packets discarded by the traffic shaper impact flow-control mechanisms like TCP. For more accurate testing results, use the UDP protocol.
  • Traffic shaping accuracy is optimum for security policies without a protection profile where no FortiGate content inspection is processed.
  • Don't oversubscribe an outbandwith throughput. For example, sum[guaranteed BW] < outbandwith. For accuracy in bandwidth calculation, it's required to set the “outbandwidth” parameter on the interfaces. For more information, see Bandwidth guarantee, limit, and priority interactions.
  • The FortiGate isn't prioritizing traffic based on the DSCP marking configured in the security policy. However, ToS-based prioritizing can be made at ingress. For more information, see Traffic shaping methods.