Configure Ethernet speed, duplex and negotiation settings

Incorrect Ethernet settings between two devices can result in an unreliable (excessive error count) connection or in no connection at all. The 'no connection' condition is easily noticed. 

However, the 'unreliable' condition is the most difficult to detect since a connection is established, but with errors which can disturb normal traffic. For example, intermittent access, slow performance, or connection timeouts.

Symptoms include:
Collision counter is incrementing on the interface.
High rate of duplicate ACK packets.
Large jumps in Sequence Numbers, as retransmitted packets fill in holes.

To determine if there are excessive or unwanted errors, use the following debug commands to view the Ethernet statistics:

FortiOS v4.0 & 5.0:

> diagnose netlink device list
> diagnose hardware deviceinfo nic <interface>

where <interface> can be internal, external, dmz, wan1, port1, port2, and so on.

Note: Please be sure to repeat the latter command to show how the interface statistics are changing over time.

The symptoms of duplicate ACKs and sequence number jumps will be revealed by analyzing a packet capture.

In a fully switched environment and in full-duplex operation, there should be no collisions detected. There can be collisions in a half-duplex operation. The various error counters should also be 'zero', or should not increase over a relatively short period of time. Even the slightest errors may cause unexpected traffic problems with the FortiGate firewall and the web-filtering/anti-virus/anti-Spam detection features.

Preventing Ethernet speed/duplex mismatches

Use the following practical tips to prevent a potential Ethernet speed/duplex mismatch.

• Manually configure both sides to the same mode when you can.
• When allowing auto-negotiation do it carefully referring to the list below:a. NIC set for auto, switch set for auto.
  Result: Assuming these are fully 802.3u compliant and both their maximum capabilities are 100/full-duplex, they should both run at 100Mbps full duplex.
  b. NIC set to 100Mbps/full-duplex, switch set for auto.
  Result: Duplex mismatch. With no auto-negotiation from the NIC, the switch reverts to its default setting of 100Mbps/half-duplex.
  c. NIC set for auto, switch set for 100Mbps/full-duplex.
  Result: Duplex mismatch. With no auto-negotiation from the switch, the NIC reverts to its default setting of 100Mbps/half-duplex.
  d. NIC set to 100Mbps/full-duplex, switch set for 100Mbps/full-duplex.
  Result: Correct manual configuration.
  e. NIC set to 100Mbps/half-duplex, switch set for auto.
  Result: With no auto-negotiation from the NIC, the switch defaults to 100Mbps/half-duplex. A valid combination results, but only if the switch's default duplex matches the NIC setting.
  f. NIC set to 10Mbps/half-duplex, switch set for auto.
  Result: The switch can detect the NLP from the NIC and sets itself for 10Mbps and with no auto-negotiation (FLP) from the NIC, the switch defaults to half-duplex. A valid combination results, but only if the switch's default duplex matches the NIC setting.
  g. NIC set to 10Mbps/half-duplex, switch set for 100Mbps/half-duplex.
  Result: No link. Neither side will establish a link to an incorrect manual speed configuration. Auto-negotiation has been disabled on both link partners by manually configuring them.
  h. NIC set auto, switch set for 10Mbps/half-duplex.
  Result: Link is established in a valid configuration. The NIC sees the NLP from the switch and sets itself for 10Mbps and with no auto-negotiation (FLP) from the switch, the NIC defaults to half-duplex. A valid combination results, but only if the NIC's default duplex matches the switch settings.

About auto negotiation

The IEEE 802.3u 100BaseTX auto negotiation specification uses a modified version of the link integrity test defined for 10BaseT devices. The link integrity test for 10BaseT devices uses the Normal Link Pulse (NLP), a burst pulse every 16 (+/- 8) microseconds. For 10/100 Mbps auto negotiation, a Fast Link Pulse (FLP) is used. The FLP includes the same NLP burst every 16 (+/- 8) msec for backward compatibility plus additional pulses every 62.5 (+/- 7) microseconds. The FLP burst generates code words that are used for compatibility exchanges (duplex settings) between link partners. If a device (such as an Ethernet switch) sends FLP, but only receives NLP from it's link partner (such as a server or workstation), it will stop sending FLP and enable standard 10BaseT operation. For example, with one device (the server) manually configured for 100Mbps full duplex, and the other (the Ethernet switch) set for auto-negotiation, the switch will not be receiving the FLP and will revert to its default settings of 100Mbps half duplex. Now you have a server running half duplex and the switch port running at full duplex.