Staff

Troubleshooting Tip: Kernel panic during IP fragment processing over IPsec VPN with NP7Lite offloading enabled

Forum|Forum|17 days ago
May 27, 2026
1 reply
191 views

Description

This article describes a kernel panic condition observed on NP7Lite platforms when processing fragmented IPsec VPN traffic with 'NPU offload enable' set.

This issue occurs during IP fragment handling for large packets traversing an IPsec VPN tunnel.

Scope

FortiGate-90G, FortiGate 120G, NP7Lite hardware offloading, IPSEC VPN, Fragmented packet processing.

Solution

The issue may be reproduced by sending large ICMP packets through the IPsec VPN tunnel while NPU offload is enabled.

Example from a Windows host:

ping 198.51.100.28 -l 2000 -t

Example from a Linux host:

ping -s 2000 198.51.100.28

The FortiGate may present one or more of the following symptoms:

Kernel panic messages.
Unexpected reboot.
IPsec VPN traffic interruption.
Tunnel instability during large packet transmission.
Packet loss affecting fragmented traffic flows.

The issue can be mitigated by enabling NPU IP reassembly processing.

Enable IP reassembly using the following CLI configurations:

config system npu
    config ip-reassembly
        set status enable
end

After enabling IP reassembly, fragmented packets are reassembled before hardware offloading processing, preventing the kernel panic condition observed during fragmented IPsec VPN traffic handling.

ClemensD

Visitor III

For which FortiOS Version is this?

the "config ip-reassembly” is not available on NP7Lite Platforms (tested on a 90G) on 7.6.6.

Also according to the Hardware-Acceleration Docs (https://docs.fortinet.com/document/fortigate/8.0.0/hardware-acceleration/512774) DFR is not supported on NP7Lite Platforms.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded