This article describes how to fix an issue where traffic fails when ‘set inbandwidth’ or ‘set outbandwidth’ is configured on the interface.
Scope
FortiOS 7.0.11 and above, 7.2.6 and above, 7.4, 7.6, NPU.
Solution
Sometimes after a firmware upgrade, FortiGate traffic starts failing on the interface and even the IP address configured on the interface is not reachable.
config system interface edit "VLAN 1118" set vdom "Internet" set ip 192.168.1.1 255.255.255.0 set allowaccess ping set inbandwidth 10000 set monitor-bandwidth enable set role lan set snmp-index 53 set interface "port1" set vlanid 1118 next end
Running a sniffer in this case shows that ARP requests are reaching the FortiGate: an ARP reply is seen with an NPU sniffer as well, but the traffic still fails. The ARP reply fails to make it to the FortiGate, causing ARP to fail.
diagnose sniffer packet any 'host 192.168.1.1 and arp' 4 0 a interfaces=[any] filters=[host 192.168.1.1 and arp] 2024-04-22 08:48:41.454732 VLAN 1118 out arp who-has 192.168.1.100 tell 192.168.1.1 2024-04-22 08:48:41.454737 port3 out arp who-has 192.168.1.100 tell 192.168.1.1 2024-04-22 08:48:41.455056 npudbg in arp reply 192.168.1.100 is-at 00:70:6f:72:27:02 <- The client is responding, but this packet gets dropped at NPU.
This is a known issue that was identified and documented under bug ID 901621. See the FortiOS v7.2.6 release notes and FortiOS v7.6.0 release notes.
The workaround is to disable inbandwidth/outbandwidth on the interface.
config system interface edit "VLAN 1118" unset inbandwidth next end
Note: For details regarding the fix, check the release notes of newer FortiOS releases.