| Solution |
The following debug logs demonstrate an offloading failure during an IPSec encryption process:
2024-12-22 11:57:03 id=65308 trace_id=363 func=nipsec_set_ipsec_sa_enc line=933 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={004-IPSEC-018/004-IPSEC-018/0x72a21ed3}), npudev=1, skb-dev=BGP004-024"
2024-12-22 11:57:03 id=65308 trace_id=363 func=nipsec_set_ipsec_sa_enc line=967 msg="IPsec encrypt SA (p1/p2/spi={004-IPSEC-018/004-IPSEC-018/0x72a21ed3}) offloadingfailed, err=14, flag/id={0/0, 0/0, 0/0}"
- offloadingfailed, err=14 indicates that the FortiGate hardware was unable to offload the encryption process for the specified Security Association (SA).
- This failure typically occurs due to hardware resource limitations, incompatible configurations, or unsupported algorithms.
- When offloading fails, encryption falls back to software processing, which may lead to increased CPU utilization and reduced performance.
Disable Offload:
Disabling offload can resolve this issue by bypassing the hardware for IPSec processing.
To disable IPSec offloading for a specific tunnel, use the following CLI command:
config vpn ipsec phase1-interface
edit <phase1-name>
set npu-offload disable
next
- The offloading failure (offloadingfailed, err=14) will no longer occur as the FortiGate will handle encryption in software.
- Software-based processing is slower and may lead to high CPU utilization under heavy traffic.
Note:
- Ensure that the encryption and authentication algorithms used in the IPSec tunnel are supported by the FortiGate.
- Check hardware resource utilization to confirm if NP4, NP6 or NP7 are overloaded.
- If resource limitations persist, consider upgrading to a higher-performance FortiGate model with greater offloading capacity.
Related articles:
Technical Tip: How to check if NP6 is overloaded
Troubleshooting Tip: NPU configuration commands (NP4, NP6, NP7)
Technical Tip: Network Processors (NP) / Hardware Acceleration Processors
|
