Description | This article describes why, in some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine may drop ESP packets due to large amount of layer 2 padding. A solution is offered. |
Scope |
FortiGate. |
Solution |
First, capture the traffic over the IPsec tunnel of the FortiGate.
Note that there is outbound traffic but no inbound traffic.
diag sniffer packet any 'host 52.138.0.244' 4 0 l interfaces=[any]
Additionally, checking the NPU will show drops over the IPsec engine.
diagnose npu np6 dce 0 IPSEC1_ENGINB1 :0000000000017379 [8a] IPSEC1_ENGINB2 :0000000000000746 [8b]
diag npu np6 dce 1
Test by disabling NPU offloading under IPsec phase1 tunnel and check if the inbound traffic will pass as expected.
config vpn ipsec phase1-interfac edit <phase1-name> set npu-offload disable end
If the traffic passes as expected, enable strip padding under system NPU (as extra padding in cleartext or ciphertext packets can cause IPsec engine to hang), reboot the FortiGate. Note that if there is an HA cluster, it will be necessary to reboot all of the units in the HA clusters. After, enable npu-offload again.
config system npu
After, offloading will be enabled and the ESP traffic will pass successfully.
Related article: Stripping clear text padding an IPsec session esp padding - FortiGate documentation. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.