Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jhouvenaghel_FTNT
Staff
Staff

Created on ‎09-27-2024 03:04 AM

Article Id 345068

Troubleshooting Tip: Contradictory information with offload flag in session list and packet capture done with 'diagnose sniffer' in 7.2.6 up to 7.2.8 for an IPSEC path through session

 

Description This article describes a situation where the flag in an IPsec path through a session (offload=9/9) indicates that the session looks offloaded to NP7 and the 'diag sniffer' CLI command shows packets belonging to the session.
Scope FortiGate with NP7, version 7.2.6 to 7.2.8.
Solution

In releases 7.0.8 or 7.2.0 up to 7.2.5, when an IPsec path through the session is offloaded to NP7, the session entry shows the following (example below):

 

session info: proto=17 proto_state=01 duration=126 expire=179 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=20512/126/1 reply=20256/126/1 tuples=2
tx speed(Bps/kbps): 162/1 rx speed(Bps/kbps): 160/1
orgin->sink: org pre->post, reply pre->post dev=65->62/62->65 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.8.78.140:64916->163.62.95.1:4500(0.0.0.0:0)
hook=post dir=reply act=noop 163.62.95.1:4500->10.8.78.140:64916(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=18207 auth_info=0 chk_client_info=0 vd=1
serial=00120cdc tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=183/184, ipid=184/183, vlan=0x036e/0x037b
vlifid=184/183, vtag_in=0x036e/0x037b in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=11/8

 

The capture done with 'diagnose sniffer packet any 'port 500 or port 4500' does not show anything.

 

When using release 7.2.6, 7.2.7, or 7.2.8, the session entry shows the same flags.

 

session info: proto=17 proto_state=01 duration=13 expire=179 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=2240/14/1 reply=1760/11/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=65->62/62->65 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.8.78.140:64916->163.62.95.1:4500(0.0.0.0:0)
hook=post dir=reply act=noop 163.62.95.1:4500->10.8.78.140:64916(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=19225 auth_info=0 chk_client_info=0 vd=1
serial=0004f63a tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=184/185, ipid=185/184, vlan=0x036e/0x037b
vlifid=185/184, vtag_in=0x036e/0x037b in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=2/10

With these releases, the 'diagnose sniffer packet any 'port 500 or port 4500'  shows continuously the IPSec path through packets sent in the original direction and not the one in the reply direction.

 

diagnose sniffer packet any 'port 500 or port 4500' 4 0 a
interfaces=[any]
filters=[port 500 or port 4500]
diagnose sniffer packet any 'port 500 or port 4500' 4 0 a
interfaces=[any]
filters=[port 500 or port 4500]
2024-09-24 16:02:56.899848 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:56.899855 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:56.899856 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:56.899857 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:57.901471 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:57.901476 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:57.901477 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:57.901479 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:58.903117 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:58.903122 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:58.903123 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:58.903124 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:59.904266 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:59.904271 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:59.904273 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:02:59.904274 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:00.905507 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:00.905513 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:00.905514 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:00.905515 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:01.906972 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:01.906977 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:01.906978 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:01.906979 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:02.908033 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:02.908039 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:02.908040 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:02.908041 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:03.909547 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:03.909552 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:03.909553 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:03.909554 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:04.910786 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:04.910791 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:04.910792 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:04.910793 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:05.911912 V3678_INTER_IBC in 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:05.911917 2185 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:05.911918 F5_ADS_FE out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
2024-09-24 16:03:05.911920 port40 out 10.8.78.140.64916 -> 163.62.95.1.4500: udp 132
.....

This behavior does not appear when having v7.2.9, v7.2.10, or v7.4.5.

 

Labels:
123
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.