Solved: Re: 9500 and Fortinet lost packets

antoine.bak.59 · ‎03-22-2025

Hello,

I have core switches 9500 connected to Fortigate 600F

Fortigate owns the layer 3.

When there are just some few devices connected, all is working well

however ,with more clients around 1,000 connected, we start to lost packets and the client encounters disconnections

9500 version. 17.9.2

Do you saw issues in the past between 9500 and Fortinet ?

thanks

antoine.bak.59 · ‎03-25-2025

Hello,

thank you so much for your support

Issue is solved

The 9500 is meraki monitored.

This action has created the tracking of all the interfaces included the interfaces towards the firewall.

interface port-channel

device tracking attach-policy MERAKI_POLICY

With a show device-tracking messages, we can observe packet drop on the port channel between the 9500 and the fortinet

The solution is to apply this on all the interfaces especially on the ports towards the gateway

device-tracking attach-policy NOTRACK

View solution in original post

marce1000 · ‎03-22-2025

- What is the traffic load on the Fortigate ?
- Is the Fortigate sufficiently strong to handle the (expected) traffic , according to the specifications of the device ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎03-22-2025

1000 clients on LAN or Wireless ?

how is your network looks like - Only Cat 9500 alone in the network or any other Lan switches Layer2

check in the path any interface having Interface errors or CRC error,

For testing when you connect device in Cat 9500 in the peak time and client in Lan switch, do some iperf test , what is the outcome ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

antoine.bak.59 · ‎03-22-2025

Let me reply later on this point when i'll have the answer

In the same time, i have an idea. We can see a lot of ARP requests without reply from the switches to the Gateway which is the fortinet. In the captures i saw tcp retransmissions and deduplications

We know that ARP timeout is configured to only 30 sec on fortinet compares to 4 hours on Cisco. The difference is to big and it can be an explenation your idea ?

I think putting 600 sec or 900 sec, same value on forti and cisco side. What do you recommend ?

balaji.bandi · ‎03-22-2025

It's all a requirement. Lowering the arp timeout can be an option to set up; it will not harm you. If you like, try that option and monitor it. (but personally do not think that is the issue)

check on the switch CPU and logs on the switch, also CPU and Fortinet (what model ?). What features are used in Fortinet?

But cat 9500 are Core switches, so they should able to handle significant traffic (I have a real-time use case where 20K users use our core, and we do not see that issue)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

antoine.bak.59 · ‎03-25-2025

Hello,

thank you so much for your support

Issue is solved

The 9500 is meraki monitored.

This action has created the tracking of all the interfaces included the interfaces towards the firewall.

interface port-channel

device tracking attach-policy MERAKI_POLICY

With a show device-tracking messages, we can observe packet drop on the port channel between the 9500 and the fortinet

The solution is to apply this on all the interfaces especially on the ports towards the gateway

device-tracking attach-policy NOTRACK