This article describes a situation where a packet with a checksum bit set to '1' due to an invalid checksum, the only action is to drop it by NP7.
FortiOS with NP7.
In certain situations when the traffic gets altered while traversing, which would result in an expected change in the checksum, in this situation NP7 would 'drop' the packet that should be expected to pass instead.
In the example below, GRE traffic was encrypted by an encryption device after the Firewall, the return packet with an invalid checksum is getting dropped as below:
FW (global) # diagnose npu np7 dce-drop-all 0 1
<HTX drop counters>
[NP7_0]
Counter HTX_0 HTX_1 HTX_2 HTX_3 Total
------------------------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 131263 0 21339 109791 262393
<HTX drop counters>
[NP7_0]
Counter HTX_0 HTX_1 HTX_2 HTX_3 Total
------------------------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 131269 0 21341 109791 262401
Generic Routing Encapsulation (0x5EDB - unknown)
Flags and Version: 0xffd1
Protocol Type: Unknown (0x5edb)
Checksum: 0x9b41 incorrect, should be 0x99c5
[Expert Info (Warning/Protocol): Incorrect GRE Checksum [should be 0x99c5]]
[Checksum Status: Bad]
FW(global) # diagnose npu np7 dce-drop-all 1
<EIF drop counters>
[NP7_1]
Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------
[41]gre_csum 0 0 0 0 3 10 4 5 22
------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------------
Total_drop : 22
config system npu
config fp-anomaly
set gre-csum-err
allow Allow IPv4 invalid GRE checksum.
drop Drop IPv4 invalid GRE checksum.
trap-to-host Forward IPv4 invalid GRE checksum to main CPU for processing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.