|
Once the IPsec VPN tunnel is established, the 'diagnose vpn tunnel list name <tunnel_name>' command is used to see details about phase2 selectors (config vpn ipsec phase2-interface).
FGT_Lab # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=FGT_Tunnel ver=2 serial=1fd x.x.x.x:500->y.y.y.y:500 nexthop=x.x.x.x tun_id=y.y.y.y status=up dst_mtu=1500 weight=1
parent=FGT_P1 index=545
.
.
<output_omitted>
.
.
proxyid=FGT_P2 proto=0 sa=1 ref=61 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
.
.
<output_omitted>
dec:pkts/bytes=0/0, enc:pkts/bytes=190003/31809788
The pkts/bytes counter displays the number of packets/bytes encrypted or decrypted by the Security Association (SA). Once SA is offloaded, the decrypt counter doesn't update regularly (as encryption).
dec:pkts/bytes=5762/16468, enc:pkts/bytes=9470/581554
npu_flag=03 npu_rgwy=10.5.129.240 npu_lgwy=10.5.17.58 npu_selid=2 dec_npuid=7 enc_npuid=8
dec:pkts/bytes=11904/1064898, enc:pkts/bytes=18934/1161034
npu_flag=03 npu_rgwy=10.5.132.101 npu_lgwy=10.5.17.58 npu_selid=0 dec_npuid=4 enc_npuid=8
When NPU Offloading is disabled under phase1 settings, the decrypt packets are updated regularly.
dec:pkts/bytes=7422/445320, enc:pkts/bytes=7422/890640
npu_flag=00 npu_rgwy=10.5.17.58 npu_lgwy=10.5.129.240 npu_selid=6 dec_npuid=0 enc_npuid=0
Run these commands to disable hardware acceleration for individual IPsec VPN tunnels:
config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
end
Before disabling the hardware acceleration, refer to this article to understand its impact:
The issue will be resolved in v7.4.9 and v7.6.4.
|
