Technical Tip: Understanding the ipsec-ordering setting on FortiGate SoC4 platforms
Description
This article describes the ipsec-ordering setting under NPU configuration and the impact it may have on IPsec traffic.
When ipsec-ordering is disabled, IPsec traffic may be processed with higher NPU parallelism. In some network paths, this can result in out-of-order packets. Most environments handle this correctly, but some intermediate devices, proxy devices, or multiple inline deep inspection paths may drop or mishandle out-of-order packets.
Scope
FortiGate SoC4 / NP6XLite platforms.
Solution
The ipsec-ordering feature setting was introduced on supported FortiGate SoC4 / NP6XLite platforms starting from FortiOS 7.4.8 and FortiOS 7.6.4, and later supported releases.
This setting is disabled by default.
When disabled, IPsec traffic can be processed with higher NPU parallelism for better performance.
When enabled, FortiGate preserves packet ordering for affected IPsec traffic. This may help when intermediate devices, proxy devices, or inspection paths drop or mishandle out-of-order TCP segments.
Enable only when packet captures show out-of-order TCP segments over IPsec, and this is causing application issues.
To enable IPsec ordering:
config system npu
   set ipsec-ordering enable
endAfter changing this setting, flush and re-establish the affected IPsec tunnel, or reboot the FortiGate during a maintenance window. To verify the NPU type used by a FortiGate model, refer to Technical Tip: Network Processors (NP)/Hardware Acceleration Processors.
This feature setting is not intended for other FortiGate SP5 / SoC5 / NP7Lite platforms. If the command is not present on those models, this is expected behavior.