FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mkatary
Staff
Staff
Article Id 208035
Description This article describes why, in some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine may drop ESP packets due to large amount of layer 2 padding. A solution is offered.
Scope

FortiGate.

Solution

First, capture the traffic over the IPsec tunnel of the FortiGate.

 

Note that there is outbound traffic but no inbound traffic.

 

diag sniffer packet any 'host 52.138.0.244' 4 0 l

interfaces=[any]
filters=[host 52.138.0.244]
2021-11-03 19:20:31.343034 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x4e)
2021-11-03 19:20:31.454182 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x4f)
2021-11-03 19:20:32.794925 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x50)
2021-11-03 19:20:33.151516 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x51)
2021-11-03 19:20:33.151591 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x52)
2021-11-03 19:20:33.151669 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x53)
2021-11-03 19:20:33.151707 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x54)
2021-11-03 19:20:34.791762 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x55)
2021-11-03 19:20:35.114577 port7 out 209.15.95.34 -> 52.138.0.244: ESP(spi=0xac6e0cbe,seq=0x56)

 

Additionally, checking the NPU will show drops over the IPsec engine.

 

diagnose npu np6 dce 0
IHP0_PKTCHK :0000000000007388 [5a] IHP1_PKTCHK :0000000000301745 [5b]
XHP0_PKTCHK :0000000000003229 [5e] XHP1_PKTCHK :0000000000003405 [5f]
IPSEC0_ENGINB0 :0000000000547093 [80] IPSEC0_ENGINB1 :0000000000031693 [81]
IPSEC0_ENGINB2 :0000000000000655 [82] IPSEC0_ENGINB3 :0000000000000174 [83]
IPSEC0_ENGINB4 :0000000000000074 [84] IPSEC0_ENGINB5 :0000000000000057 [85]
IPSEC0_ENGINB6 :0000000000000022 [86] IPSEC0_ENGINB7 :0000000000000004 [87]
IPSEC1_IQUEUE :0000000000000001 [88] IPSEC1_ENGINB0 :0000000000418401 [89]

IPSEC1_ENGINB1 :0000000000017379 [8a] IPSEC1_ENGINB2 :0000000000000746 [8b]
IPSEC1_ENGINB3 :0000000000000429 [8c] IPSEC1_ENGINB4 :0000000000000117 [8d]
IPSEC1_ENGINB5 :0000000000000086 [8e] IPSEC1_ENGINB6 :0000000000000051 [8f]

 

diag npu np6 dce 1
IHP0_PKTCHK :0000000000020296 [5a] XHP0_PKTCHK :0000000000000005 [5e]
IPSEC0_ENGINB6 :0000000003712039 [86] IPSEC0_ENGINB7 :0000000006713629 [87]
PDQ_OSW_IPSEC1I :0000000014154116 [a7]

 

Test by disabling NPU offloading under IPsec phase1 tunnel and check if the inbound traffic will pass as expected. 

 

config vpn ipsec phase1-interfac

    edit <phase1-name>

        set npu-offload disable

    end

 

If the traffic passes as expected, enable strip padding under system NPU (as extra padding in cleartext or ciphertext packets can cause IPsec engine to hang), reboot the FortiGate. Note that if there is an HA cluster, it will be necessary to reboot all of the units in the HA clusters. After, enable npu-offload again.

 

config system npu
     set strip-esp-padding enable
     set strip-clear-text-padding enable
end

 

After, offloading will be enabled and the ESP traffic will pass successfully. 

 

Related article:

Stripping clear text padding an IPsec session esp padding - FortiGate documentation.