1. An IPSec tunnel is established between the FORTIEXTENDER (FEX2xxF with V7.4.6) and the FortiGate (FG6H0F-7.4.4) in VXLAN extension mode.
2. A client connected to the Extender's LAN port receives an IP address but cannot access the Internet.
3. Running a TCPdump on the Extender shows traffic being forwarded to the internet.

For example, initiating traffic to a website with the public IP address 193.99.x.x:

listening on le-switch, link-type EN10MB (Ethernet), snapshot length 262144 bytes

09:14:42.274196 IP 172.20.x.x.56774 > 193.99.144.x.443: Flags [.], seq 93324996:93326196, ack 524921853, win 1026, length 1200

09:14:42.460443 IP 172.20.x.x56772 > 193.99.144.x.80: Flags [P.], seq 1246749234:1246749734, ack 68398799, win 1026, length 500: HTTP: GET / HTTP/1.1

09:14:47.079418 IP 172.20.x.x.56774 > 193.99.144.x.443: Flags [.], seq 0:1200, ack 1, win 1026, length 1200

09:14:47.261938 IP 172.20.x.x.56772 > 193.99.144.x.80: Flags [P.], seq 0:500, ack 1, win 1026, length 500: HTTP: GET / HTTP/1.1

09:14:56.681202 IP 172.20.x.x.56774 > 193.99.144.x.443: Flags [R.], seq 1200, ack 1, win 0, length 0

09:14:56.683754 IP 172.20.x.x.56784 > 193.99.144.x.443: Flags [S], seq 962974866, win 64240, options [mss 1200,nop,wscale 8,nop,nop,sackOK], length 0

09:14:56.697486 IP 193.99.x.x.443 > 172.20.x.x.56784: Flags [S.], seq 3048524569, ack 962974867, win 3990, options [mss 1200,nop,wscale 2,sackOK,eol], length 0

09:14:56.698295 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [.], ack 1, win 1026, length 0

09:14:56.701593 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [.], seq 1:1201, ack 1, win 1026, length 1200

09:14:56.701595 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [P.], seq 1201:1755, ack 1, win 1026, length 554

09:14:56.743119 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [P.], seq 555:1755, ack 1, win 1026, length 1200

09:14:56.876505 IP 172.20.x.x.56772 > 193.99.x.x.80: Flags [R.], seq 500, ack 1, win 0, length 0

09:14:57.045479 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [.], seq 1:1201, ack 1, win 1026, length 1200

09:14:57.653176 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [.], seq 1:1201, ack 1, win 1026, length 1200

09:14:58.857534 IP 172.20.x.x.56784 > 193.99.x.x.443: Flags [.], seq 1:1201, ack 1, win 1026, length 1200

09:15:00.816036 IP 172.20.x.x.56789 > 193.99.x.x.80: Flags [S], seq 2550976472, win 64240, options [mss 1200,nop,wscale 8,nop,nop,sackOK], length 0

09:15:00.819356 IP 172.20.x.x.56773 > 193.99.x.x.80: Flags [P.], seq 1382135982:1382136482, ack 728427635, win 1026, length 500: HTTP: GET / HTTP/1.1

09:15:00.830222 IP 193.99.x.x.80 > 172.20.x.x.56789: Flags [S.], seq 2461675492, ack 2550976473, win 3990, options [mss 1200,nop,wscale 2,sackOK,eol], length 0

09:15:00.830795 IP 172.20.x.x.56789 > 193.99.x.x.80: Flags [.], ack 1, win 1026, length 0

4. Perform a continuous ping to the client’s default gateway and an external address (e.g., 8.8.8.8) from the client connected to the LAN port of the FORTIEXTENDER.
5. On the FortiGate, collect the debug flow and run a sniffer on the FORTIEXTENDER interface to diagnose the issue.

Check the debug flow to ensure the policy ID matches(it uses policy id - 61) and the traffic is being routed to the internet and returned via the tunnel between the FortiGate and FortiExtender:

12:53 id=65308 trace_id=4827 func=init_ip_session_common line=6127 msg="allocate a new session-012516f1"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=rpdb_srv_match_input line=1148 msg="Match policy routing id=2139291649: to 193.99.x.x via ifindex-20"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-80.155.171.209 via port14"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=20, len=8"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=get_new_addr line=1274 msg="find SNAT: IP-80.155.x.x(from IPPOOL), port-56734"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=fw_forward_handler line=997 msg="Allowed by Policy-61: SNAT"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=ip_session_confirm_final line=3141 msg="npu_state=0x100, hook=4"

2024-10-01 11:12:53 id=65308 trace_id=4827 func=__ip_session_run_tuple line=3474 msg="SNAT 172.20.x.x->80.155.x.x:56734"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 172.20.x.x:56735->193.99.144.85:80) tun_id=0.0.0.0 from FX0015919003108. flag [S], seq 2723957095, ack 0, win 64240"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=init_ip_session_common line=6127 msg="allocate a new session-012516f6"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=rpdb_srv_match_input line=1148 msg="Match policy routing id=2139291649: to 193.99.x.x via ifindex-20"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-80.155.171.209 via port14"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=20, len=8"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=get_new_addr line=1274 msg="find SNAT: IP-80.155.x.x(from IPPOOL), port-56735"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=fw_forward_handler line=997 msg="Allowed by Policy-61: SNAT"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=ip_session_confirm_final line=3141 msg="npu_state=0x100, hook=4"

2024-10-01 11:12:53 id=65308 trace_id=4828 func=__ip_session_run_tuple line=3474 msg="SNAT 172.20.x.x->80.155.x.x:56735"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=6, 193.99.144.85:80->80.155.x.x:56734) tun_id=0.0.0.0 from port14. flag [S.], seq 884565577, ack 2844206421, win 3600"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=resolve_ip_tuple_fast line=6030 msg="Find an existing session, id-012516f1, reply direction"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=__ip_session_run_tuple line=3487 msg="DNAT 80.155.x.x:56734->172.20.x.x:56734"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-0.0.0.0 via FX0015919003108"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=npu_nturbo_unset_flags line=287 msg="ses->npu_state=0x100 skb->npu_flag=0x400"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=npu_nturbo_unset_flags line=287 msg="ses->npu_state=0x108 skb->npu_flag=0x400"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=npu_handle_session44 line=1355 msg="Trying to offloading session from port14 to FX0015919003108, skb.npu_flag=00000400 ses.state=04010204 ses.npu_state=0x00000108"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=ip_session_install_npu_session line=384 msg="npu session installation succeeded"

2024-10-01 11:12:53 id=65308 trace_id=4829 func=fw_forward_dirty_handler line=443 msg="state=04010204, state2=00000001, npu_state=00000908"

6. The issue appears to be related to session offloading, as indicated by the "fw_forward_dirty_handler" line in the logs. Additionally, no ICMP response to 8.8.8.8 is captured in the sniffer logs.

7. Try disabling auto-asic-offload on policy ID 61 with the following commands:

edit 61

       set name "Policy_Name"

       set uuid bf25d09c-7b64-51ef-295f-9cd3cc16ec2a

       set srcintf "FORTIEXTENDER-Interface"

       set dstintf "WAN"

       set action accept

       set srcaddr "all"

       set dstaddr "all"

       set schedule "always"

       set service "HTTP" "HTTPS" "PING"

       set logtraffic all

       set auto-asic-offload disable

8. If the issue persists, open a ticket with FortiGate support and provide the following:

• Flow trace output:

diagnose debug flow filter addr <User IP address>

diagnose debug console timestamp enable

diagnose debug flow trace start <number of packets>

diagnose debug enable

•  Packet sniffer logs from the FortiExtender interface: Troubleshooting Tip: Packet Capture on FortiOS GUI
• TCPdump logs: Technical Tip: 'tcpdump' packet captures in FortiExtender
•  FortiGate and FortiExtender configuration files.