Technical Tip: Debug flow shows offloading-check failed, reason_code=2 for IPSec traffic

This article describes the case when sending traffic over an IPsec tunnel, debug flow displays the following error:

id=65308 trace_id=15 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00090049, reply direction"
id=65308 trace_id=15 func=ip_session_core_in line=6543 msg="dir-1, tun_id=192.169.1.1"
id=65308 trace_id=15 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface To-Tunnel-A, tun_id=192.169.1.1"
id=65308 trace_id=15 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel To-Tunnel-A vrf 0"
id=65308 trace_id=15 func=esp_output4 line=920 msg="IPsec encrypt/auth"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=920 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}), npudev=-1, skb-dev=port2"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=965 msg="IPSec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}) offloading-check failed, reason_code=2."
id=65308 trace_id=15 func=ipsec_output_finish line=641 msg="send to 0.0.0.0 via intf-port2"

So, the traffic is being offloaded by the CPU.

The debug flow message indicating 'offloading-check failed, reason_code=2' for IPsec traffic means that the offloading of the IPsec Security Association (SA) failed due to the absence of the Network Processing Unit (NPU). This is expected behavior for VM-based FortiGates, which do not have NPUs and rely on CPU processing for IPsec encryption and decryption.

Reason Code 2:

This specific code signifies that the IPsec offloading failed because the device does not have an NPU. This is typical for VM-based FortiGates.