Description |
This article describes how to identify when fragmented UDP packets are dropped due to taking the NTurbo path on NP7 platforms and how to resolve the drops. |
Scope |
NP7 FortiGates. |
Solution |
When a FortiGate equipped with NP7 processors is forwarding IPS-inspected traffic through a flow-based firewall policy, if this traffic is UDP AND is fragmented then the traffic may get dropped.
These drops occur when fragmented UDP packets take the NTurbo path inside the FortiGate. The only traffic that will take this path is on sessions that are NP7-accelerated, and have IPS/Application Control/flow-based Antivirus or flow-based web filtering applied. Traffic taking the NP7 path (no security inspection) and traffic taking the CPU path(any traffic that cannot be offloaded) are not affected by this fragmentation issue.
Refer here for the conditions on traffic being NP7 accelerated, note that NTurbo has more specific requirements: NP7 session fast path requirements
NTurbo fragmentation drops can be identified by the CLI command ‘diagnose test ipsmonitor 14’. If traffic is being dropped, then the ‘drop(decode)’ counter will be incremented.
‘diagnose test app ipsmonitor 14’ output without any drops:
‘diagnose test app ipsmonitor 14’ output after fragmented UDP traffic has been sent through this NP7 FortiGate:
Note: The ‘decode’ drops are distributed across several NTurbo engines, and the presence of decode NTurbo drops in general does not necessarily indicate that UDP traffic is being dropped due to fragmentation.
To resolve this issue, the IP-reassembly CLI-only option can enabled under the NP7 configuration. The NP7 processor is capable of reassembling up to two fragmented packets into a single packet before the packet is sent to the CPU for security inspection. If traffic is being fragmented into more than two packets, then it will still get dropped even with IP-reassembly enabled. Disabling NTurbo is required to stop drops for packets fragmented into three or more packets.
The CLI commands to enable ip-reassembly are as follows: config ip-reassembly set status enable end end
There are two additional configurable values within the ip-reassembly configuration, these being the ‘max-timeout’ and ‘min-timeout’ settings. config ip-reassembly set min-timeout <microseconds> set max-timeout <microseconds> end
Enabling IP-reassembly is a global setting across all NP7s on a FortiGate, and will apply to all fragmented traffic. Enabling this setting will not impact CPU/memory consumption on its own, though the additional traffic being inspected instead of dropped may increase the performance load.
Refer to this article for more information on NTurbo, including how to disable it: Technical Tip: Nturbo functions within FortiOS
Refer to the administrative guide for more information on what traffic can be handled by NTurbo: |