FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pareenat
Staff
Staff
Description This article describes corner case condition cause TCP out of order on some of deployment diagram.
Scope FortiOS.
Solution pareenat_0-1647254605799.png

 

When F5 set up Virtual Server point back to Backend Server behind FortiGate. F5 will intercept TCP handshake between client and Backend Server and shorten time different between the 3rd tcp handshake packet (‘ack’) and 1st piece of data and in some rare condition these packet will reach FortiGate almost at the same time.


When the the 3rd tcp handshake packet ('ack') get handle by CPU (slow path), the 1st data would already get accelerate by Network Processor (fast path) and will increase possibility to trigger TCP out of order between these 2 packets.

 

pareenat_1-1647254633962.png

 

In order to prevent TCP out of order, it i possible to enable delay-tcp-npu-session on policy that impact from above flow.

 

# config firewall polic

    edit <>

        set delay-tcp-npu-session enable

Contributors