Troubleshooting Tip: Packet loss when Adaptive Forward Error Correction (FEC) is enabled

FEC does not support NPU offloading. However traffic that does not require FEC can be identified and offloaded.

This is improving the performance for traffic that can be offloaded.

Based on the requirements offloading can be enabled under phase1:

config vpn ipsec phase1-interface
    edit "tunnel"
        set npu-offload enable
        set fec-ingress enable
    next
end

This can cause packet loss caused by anti-replay. Refer to this KB article: Technical Tip: Explaining IPSEC Anti-replay and preventing packet drops 

The behavior is expected when npu-offloading and FEC is enabled. To avoid experiencing packet loss ,offloading or anti-replay can be disabled.

To disable offloading:

config vpn ipsec phase1-interface
    edit "tunnel"
        set npu-offload disable
        set fec-ingress enable
    next
end

To disable anti replay:

config vpn ipsec phase2-interface
    edit <phase2-name>
        set replay disable
    end

An additional recommended measure is to make sure there is a dedicated firewall policy for traffic sensitive to packet loss, where FEC is enabled to separate it from other traffic that will not have FEC applied to it:

config firewall policy

    edit <id>

        .........

        set fec enable

    next

   end