Reposting from /r/fortinet as it doesn't seem very active
Hi everyone,
Technical details:
Hardware: Fortigate 100D (A/S HA pair) in site A, v5.2.4 - Site A (~130 people) CPU > 20% Mem > 65% Session > 20 peak Fortigate 80E (A/S HA pair) in site B, v5.4.5 0 Site B (~20 people) CPU > 10% Mem > 45% Session > 3k peak Topology: Site A - L3 switch with multiple vlans, upstream static to HA fortigate, fortigate has dual WAN with primary/secondary Site B - same as A SSL inspection = off Explicit proxy = off
Issue description:
In both site A, B I have a intermittent but irritatingly common user experience while using the in app audio (not hard line call in) features of popular conferencing applications like Skype4Biz, Go2Meeting, Webex, etc. Users will get warning from the app that their network connectivity is poor randomly, occasional audio latency and loss for some/all participants. Site B didn't have this issue until a recent network hardware refresh that included swapping out a legacy firewall with the 80E ha pair above.
T-Shooting done so far:
1. I created a UTM bypass destination ACL/NAT rule above my normal outbound internet NAT/ACL, in this ACL I put a group as the destination and filled it with wildcard hostnames and literally **hundreds** of static IPv4 public network entries (Skype = MS = Azure = holy crap, lets put Skype all over the damn place) for the above popular internet conferencing apps. - This was at Fortinet's TAC support's request 2. After #1 didn't make a difference over a few weeks testing with heavy conference users, in an effort to narrow down the issue, we turned off all UTM features on outbound internet ACL/NAT rules, same result 3. After #3 didn't make a difference over a few weeks testing with heavy conference users, in an effort to narrow down the issue, we disabled UTM features (AV, IPS, Application Control, Web content filter, DLP, Explicit Proxy (wasn't turned on in Site B), VoIP (wasn't turned on in Site B). This was over the holiday break so I'm hoping to get full feedback, however initial, limited feedback was no change...
I am very disappointed with my experiences with Fortinet TAC support, they take forever to get back to me and generally aren't able to provide clear answers to clear questions.
As common as the Fortinet firewalls are in small enterprise locations I have to assume this is something that has come up before but for the life of me I can't find the resolution in google/reddit/fortinet forums.
Thoughts?
No comments:
Post a Comment