Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pareenat
Staff
Staff

Created on ‎03-14-2022 03:59 AM Edited on ‎02-23-2025 11:22 PM By Community Manager

Article Id 206824

Technical Tip: Solution to prevent TCP out of order on some of deployment condition

Description This article describes corner case condition cause TCP out of order on some of deployment diagram.
Scope FortiGate.
Solution pareenat_0-1647254605799.png

 

When F5 sets up Virtual Server point back to Backend Server behind FortiGate. F5 will intercept the TCP handshake between the client and the Backend Server and shorten the time difference between the 3rd TCP handshake packet (‘ack’) and 1st piece of data and in some rare conditions, this packet will reach FortiGate almost at the same time.


When the 3rd TCP handshake packet ('ack') gets handled by the CPU (slow path), the 1st data would already get accelerated by Network Processor (fast path) and will increase the possibility of triggering TCP out of order between these 2 packets.

 

pareenat_1-1647254633962.png

 

To prevent TCP out of order, it i possible to enable delay-tcp-npu-session on policy that impacts from above flow.

 

config firewall policy

    edit <>

        set delay-tcp-npu-session enable
    end
Labels:
8032
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.