Troubleshooting Tip: Numerous occurrences of high CPU usage due to many IPsec tunnels using only one vCPU in VM

FortiOS has an interface to CPU core mapping meaning a specific tunnel will be handled by an individual CPU core. An uneven usage of tunnels can therefore cause an uneven spread of CPU usage. To reduce load on a single vCPU distribute load to multiple vCPUs (if available on the model):

1. Check via GUI on the dashboard to make sure that the license provides for two or more vCPUs.

Check by executing this command in the firewall CLI:

2. Enter the following command in the CLI to distribute decryption tasks

set ipsec-soft-dec-async enable

Since 7.0.8, FortiOS supports not only the spread of decryption tasks, but also to redistribute encrypted or decrypted packets across multiple CPU cores.

To distribute encrypted packets:

config system global

    set ipsec-round-robin {enable | disable}

end

To distribute decrypted packets:

config vpn ipsec phase1-interface

    edit <name>

        set packet-redistribution {enable | disable}

    next

end

3. Verify that the load is distributed on the two vCPUs.

diagnose vpn ipsec cpu

Example output: 

CPU enc dec-in dec dec-out
0 98 98 91 91    First vCPU
1 0 0 7 7   Second vCPU