Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Created on ‎03-05-2025 04:07 AM Edited on ‎12-02-2025 09:57 PM By Staff

Article Id 380474

Technical Tip: Hardware Acceleration (NPU Offloading) not supported with 802.1 Q-in-Q VLAN tags

Description This describes hardware acceleration support with respect to 802.1 Q-in-Q VLAN tags.
Scope FortiGate.
Solution

Consider the following VLAN interfaces configured on FortiGate-I.

 

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.1 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 10
    next
    edit "vlan222"
        set vdom "root"
        set interface "port1"
        set vlanid 222
        set snmp-index 20
    next
    edit "port1"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 30
    next
end

 

Likewise, the following VLAN interfaces are configured on FortiGate-II.

 

config system interface
    edit "vlan111"
        set vdom "root"
        set ip 10.111.1.2 255.255.255.252
        set allowaccess ping
        set interface "vlan222"
        set vlanid 111
        set snmp-index 40
    next
    edit "vlan222"
        set vdom "root"
        set interface "port2"
        set vlanid 222
        set snmp-index 50
    next
    edit "port2"
        set vdom "root"
        set role lan
        set type physical
        set snmp-index 60
    next
end

 

The network topology is as follows:


Windows10 (10.203.6.120) -- [(port10) FortiGate-I {port1 -- vlan222 -- vlan111 (10.111.1.1)}] ======= [{vlan111 (10.111.1.2) -- vlan222 -- port2} FortiGate-II (port20)] -- Windows10 (10.207.15.153)

 

A firewall policy has been configured to allow traffic between Windows clients.

 

config firewall policy
    edit 1
        set name "Q-in-Q-Testing"
        set srcintf "port10"
        set dstintf "vlan111"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

 

With offloading enabled (default) on firewall policy ID 1, traffic stops after two ICMP requests.

 

FortiGate-I # diagnose sniffer packet any "host 10.207.15.153 and icmp" 4 0 l
interfaces=[any]
filters=[host 10.207.15.153 and icmp]
2025-01-09 09:20:37.184550 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184564 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184565 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184567 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:37.184617 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:37.184623 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181920 port10 in 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181932 vlan111 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181933 vlan222 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181935 port1 out 10.203.6.120 -> 10.207.15.153: icmp: echo request
2025-01-09 09:20:38.181969 vlan111 in 10.207.15.153 -> 10.203.6.120: icmp: echo reply
2025-01-09 09:20:38.181978 port10 out 10.207.15.153 -> 10.203.6.120: icmp: echo reply
^C
12 packets received by filter
0 packets dropped by kernel

 

However, traffic works if offloading is disabled on firewall policy.

 

config firewall policy
    edit 1
        set auto-asic-offload disable
    next
end

 

The reason is that NP7 can NOT support 802.1Q over 802.1Q offloading due to hardware design. Fortigate supports 802.1Q over 802.1AD offloading only.

 

Upon latest confirmation from development, all NPUs before NP8, including NP6, NP6xlit,e and NP7lite, cannot support offload of 802.1Q over 802.1Q. 

 

If the 802.1Q over 802.1Q interface 'vlan111' in the above example is configured as the underlay interface of an IPsec tunnel with the 'npu-offload' enabled as default, as below, the traffic will not be able to pass through the IPsec and will be dropped as well.

 

config vpn ipsec phase1-interface

   edit "IPsec"
       set interface "vlan111"
       set ike-version 2
       set peertype any
       set net-device enable
       set proposal aes128-sha256 aes256-sha256 
       set add-route disable
       set dpd on-idle
       set auto-discovery-receiver enable
       set remote-gw 10.56.245.134
       set psksecret ENC sBTWIE56ryBAnum4CazbM57H=
    next
end

 

The workaround is to have the NPU offloading disabled in the phase 1 setting as below:

 

config vpn ipsec phase1-interface

    edit "IPsec"

        set npu-offload disable

    next

end

 

Related articles:

QinQ 802.1Q in 802.1Q - FortiGate administration guide

Improve DVLAN QinQ performance for NP7 platforms over virtual wire pairs - FortiGate documentation

Changing the DVLAN mode for FortiGates with NP7 processors - FortiGate documentation

Technical Tip: How to workaround double tagging issues with hardware acceleration over virtual wire ...
851
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.