Technical Tip: NP7Lite: Offloading Issue Detection on FortiGate G-Series
Description
This article explains how to detect offloading-related issues in the NP7Lite ASIC by monitoring the Session Search Engine (SSE) statistics. Offloading failures can lead to degraded session handling, increased CPU load, or unoptimized traffic flow, especially on FortiGate G-series.
Scope
FortiGates equipped with NP7Lite ASICs (example: FortiGate 91G, FortiGate-120G) are applicable during live traffic analysis when offloading problems are suspected.
Solution
Use the following command to inspect SSE statistics:
diagnose npu np7lite sse-stats 0
FWPTSEDS0102 # diagnose npu np7lite sse-stats 0 Counters SSE0 --------------- --------------- entcnt 0 inssucc 0 insfail 0 updsucc 0 delsucc 0 delfail 0 depfail 0 srhsucc 0 srhfail 2337045 agesucc 0
This command provides key insights into session insertions, deletions, and lookups handled by the hardware engine.
Focus on the following counters:
| Counter | Description |
| insfail | Session insertion failures – should always be 0 |
| delfail | Session deletion failures – should always be 0 |
| depfail | Session dependency failures – should always be 0 |
| srhfail | Session lookup failures – should not increment under normal TCP traffic |
Important Note:
- insfail, delfail, and depfail increments suggest possible hardware or offload handling bugs.
- High or growing SRHfail values during normal traffic conditions may indicate:
- Session offloading issues.
- Session table sync problems.
It is recommended to capture multiple samples over time if these counters are increasing.