Technical Note: NP6 anomaly error codes

dalten · ‎05-14-2019

Description
This article describes the behavior when FortiGate NP6 setting set ipv4-proto-err drop is enabled.

The NP6 will only process certain IP protocols and will drop the rest.

For example, NP6 in 3700D has an accept protocol table for IPv4/IPv6 traffic.

The following is the list of protocols accepted:

01. HOP V6 extension [0]
02. ICMP [1]
03. IPV4 [4]
04. TCP [6]
05. UDP [17]
06. IPV6 [41]
07. ROUTE V6 extension[43]
08. FRAG V6 extension [44]
09. GRE [47]
10. ESP [50]
11. AH [51]
12. ICMP6 [58]
13. DEST V6 extension [60]
14. OSPFIGP [89]
15. SCTP [132]
16. UDPLITE [136]

Note: The numbers in the braces [] are the protocol number (ID) in decimal.
Solution

For the example:

When set ipv4-proto-err drop is enabled, the following anomaly errors will be seen when running:

diag npu np6 anomaly-drop 0

IHP0:
IHP1:
IPV4_PROTO_ERR :0000000000000016 [21] <-- HEX ID of 21 is not in the list of accepted protocols.
IHP2:
IHP3:
XHP0:
XHP1:
HTX0:
HTX1:

Note: The number in the braces are the protocol number (ID) in hexadecimal.

The result shows when an IP Packet defined as a Datagram Congestion Control Protocol is received, it is dropped because it has the HEX ID of 21 (decimal 33), which is not in the accepted protocol list.

A full list of protocol numbers are available here.

Further information is available in the following links:

1) NP6 session fast path requirements
2) Configuring individual NP6 processors

Technical Note: NP6 anomaly error codes

You are leaving our website