This article describes the case when sending traffic over an IPsec tunnel, debug flow displays the following error:

id=65308 trace_id=15 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00090049, reply direction"
id=65308 trace_id=15 func=ip_session_core_in line=6543 msg="dir-1, tun_id=192.169.1.1"
id=65308 trace_id=15 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface To-Tunnel-A, tun_id=192.169.1.1"
id=65308 trace_id=15 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel To-Tunnel-A vrf 0"
id=65308 trace_id=15 func=esp_output4 line=920 msg="IPsec encrypt/auth"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=920 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}), npudev=-1, skb-dev=port2"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=965 msg="IPSec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}) offloading-check failed, reason_code=2."
id=65308 trace_id=15 func=ipsec_output_finish line=641 msg="send to 0.0.0.0 via intf-port2"

The debug flow message indicating 'offloading-check failed, reason_code=2' for IPsec traffic means that the offloading of the IPsec Security Association (SA) failed due to the absence of the Network Processing Unit (NPU). This is expected behavior for the VM-based FortiGate, which do not have NPUs and rely on the CPU processing for IPsec encryption and decryption.

The traffic is offloaded by the CPU.

Reason Code 2:

This specific code signifies that the IPsec offloading failed because the device does not have an NPU. This is an expected behavior for VM-based FortiGates.