Technical Tip: Traffic belonging to the same flow may not be forwarded over the same aggregate member after being offloaded by NP7Lite
| Description | This article describes an issue where traffic is not forwarded over the same aggregate member after offload to the NP7Lite processor. |
| Scope | All FortiOS v7.x versions, FortiGate with NP7Lite processor such as FortiGate 50G, 90G, 200G. |
| Solution | FortiGate firewalls with NP7lite processors may forward traffic over a different aggregate member after the session is offloaded to NP7Lite, if an L3 or L4 hashing algorithm is used. This is caused by inconsistent hashing keys used in hashing profiles for NPU offloaded traffic.
Depending on the topology, this can cause packet loss.
A similar issue occurred in NP7 devices in earlier firmware versions, but was resolved.
Workaround:
Set the LACP algorithm to L2 with offload enabled.
config system interface edit "aggr4" end
Alternatively, disable hardware acceleration on firewall policies with aggregate interfaces or their child VLAN interfaces source or destination, see Technical Tip: FortiGate Disable Hardware Acceleration.
Resolution: The NP7lite issue is resolved in the upcoming FortiOS v8.0.0 release. Fixes in v7.4 and v7.6 minor versions are currently being considered. |