Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Juancacst
Staff
Staff

Created on ‎12-08-2025 09:27 PM

Article Id 421953

Technical Tip: Disable multicast forwarding to optimize CPU usage when using VXLAN with software switch

Description

This article demonstrates a recommended configuration change for forwarding multicast frames over a software switch with a VXLAN interface.
Scope FortiOS, VXLAN, Software Switch.
Solution

Example Topology:
VXLAN-over-IPSec is configured, and the VXLAN interface is a software switch member. Behind FGT-B, several CCTV cameras are streaming multicast video, which is intended to be received by a recorder located behind FGT-A. Neither of the FortiGates in this setup are performing multicast routing- they are intended to forward multicast frames.

 

VXLAN+IPSEC_example.png

 

Refer to the following KB article for the VXLAN-over-IPSec configuration: Technical Tip: How to setup a VXLAN over IPsec deployment

 

After configuring this, the following symptoms may be observed:

  • High SoftIRQ utilization may be seen on all CPU cores handling the traffic.
  • CPU profiling may show _iprope_check_one_policy as the most active function on all cores.
  • Debug flow output may indicate that all multicast policies are repeatedly checked, even when the traffic initially matches a policy. The affected policy group number is 10000a (multicast policies).

 

id=65308 trace_id=1537 func=print_pkt_detail line=6005 msg="vd-root:0 received a packet(proto=17, 10.12.11.2:30000->239.12.11.2:30000) tun_id=0.0.0.0 from vxlanInterface. "

id=65308 trace_id=1537 func=__iprope_check line=2410 msg="gnum-10000a, check-ffffffffa002cdb0"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-1, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-2, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-3, ret-no-match, act-drop"

... <omitted>

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-7, ret-matched, act-drop"

id=65308 trace_id=1537 func=__iprope_user_identity_check line=1909 msg="ret-matched"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2380 msg="policy-7 is matched, act-accept"

id=65308 trace_id=1537 func=__iprope_check line=2427 msg="gnum-10000a check result: ret-matched, act-accept, flag-08010000, flag2-00000000"

id=65308 trace_id=1537 func=iprope_policy_group_check line=4909 msg="after check: ret-matched, act-accept, flag-08010000, flag2-00000000"

id=65308 trace_id=1537 func=__if_queue_push_xmit line=397 msg="send out via dev-port3, dst-mac-00:1d:09:1c:2f:3d"

id=65308 trace_id=1537 func=__iprope_check line=2410 msg="gnum-10000a, check-ffffffffa002cdb0"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-1, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-2, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-3, ret-no-match, act-drop"

... <omitted>

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-40, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-41, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-42, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-4294967295, ret-matched, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2380 msg="policy-4294967295 is matched, act-drop"

id=65308 trace_id=1537 func=__iprope_check line=2427 msg="gnum-10000a check result: ret-matched, act-drop, flag-00000800, flag2-00000000"

id=65308 trace_id=1537 func=iprope_policy_group_check line=4909 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"

id=65308 trace_id=1537 func=__iprope_check line=2410 msg="gnum-10000a, check-ffffffffa002cdb0"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-1, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-2, ret-no-match, act-drop"

id=65308 trace_id=1537 func=__iprope_check_one_policy line=2146 msg="checked gnum-10000a policy-3, ret-no-match, act-drop"

... <omitted>

 

When a multicast packet arrives over a VXLAN, the packet is first handled in OSI Layer 2 by the software switch. A multicast session is initialized, and the packet is forwarded to other connected switch interfaces.

 

Because multicast forwarding is enabled, the packet is then handled again in Layer 3. This is by design in case the multicast packet should also be forwarded to an interface outside the software switch. However, since the ingress interface has changed from the Layer 2 VXLAN switch member to the Layer 3 software switch interface, this removes the previous multicast session.

 

Since the multicast session entries are not retained, each multicast packet will trigger a policy lookup, which causes increased CPU usage.

 

Workaround:

Disable Layer 3 processing for multicast traffic by turning off the multicast-forward function:

 

config system settings

set multicast-forward disable

end

 

The multicast-forward setting has VDOM scope.

 

If intra-switch-policy is set to 'explicit', a multicast-policy is still required to allow the traffic.

 

config system switch-interface

edit "switchVxlan"

set vdom "root"

set member "port3" "vxlanInterface"

set intra-switch-policy explicit

next

end

 

config firewall multicast-policy

edit <index>

set name "multicast_video_stream"

set srcintf "vxlanInterface"

set dstintf "port3"

set srcaddr "10.12.11.0/24"

set dstaddr "multicast_receiver_group"

next

end

 

If the intra-switch-policy setting has the default value 'implicit', all frames, including multicast frame,s are implicitly allowed between switch members, and there is no need for a matching multicast-policy.

 

config system switch-interface

edit "switchVxlan"

set vdom "root"

set member "port3" "vxlanInterface"

set intra-switch-policy implicit

next

end

 

Related articles:

Technical Tip: How to setup a VXLAN over IPsec deployment

Technical Tip: VXLAN over IPsec for multiple VLANs using software switch

FortiOS Administration Guide | Configuring Multicast Forwarding

Troubleshooting Tip: FortiGate CPU Profiling

 

162
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.