Description

This article describes troubleshooting IPsec-related issues on FortiGate devices using NP7Lite ASICs in G-series models. It focuses on interpreting output from the ipsec-perf debug file and identifying error counters that indicate problems in IPsec processing.

Scope

This is applicable to FortiGate devices with NP7Lite ASICs running on G-series models (e.g., FG-200G, FG-90G).

Solution

To gather performance and error metrics for the IPsec engine on NP7Lite, use the following command:

fnsysctl cat /proc/net/np7lite/np7lite_0/ipsec-perf

This outputs various counters related to inbound/outbound Security Association (SA) creation, deletion, update attempts, buffer management, and tunnel information.

Key areas of interest:

• Error Counters (all nr_e_*):
  These indicate abnormal events or failures. A few examples are outlined below:
• nr_e_nomem: Memory allocation failure. May suggest resource exhaustion.
• nr_e_spi_ins, nr_e_spi_del: Issues inserting or deleting SPI values—potential SA handling issues or duplicate entries.
• nr_e_nsa_del_sa, nr_e_nsa_rx_hdl: Failure in SA deletion or handling receive events.

Observed Behavior:

Multiple iterations of these commands must be run, and if error counters increase along with reported IPsec performance issues, np7lite can contribute to the IPsec issues.