This issue affects both user traffic and the FortiGate’s local-out traffic (such as BGP traffic or SD-WAN Performance SLA probes) sent out via the IPsec tunnel. Packet captures will show outbound traffic egressing the IPsec tunnel interface, but no inbound reply packets.

The issue is related to hardware-acceleration of IPsec traffic and may be temporarily resolved when the IPsec tunnel is rekeyed or manually flushed. As a workaround, disable hardware acceleration for the IPsec tunnel to prevent the issue from occurring (note that disabling IPsec npu-offload will flush the existing IPsec tunnel, resulting in a brief disruption):

config vpn ipsec phase1-interface

    edit <tunnel>

        set npu-offload disable

    next

end

This is a Known Issue (tracked by Issue ID 1206506) that is scheduled to be resolved in the upcoming FortiOS 7.4.10,  7.6.5 and 8.0.0 releases.

To confirm a match to the issue, gather the following diagnostic command set multiple times (10 seconds apart) while the issue is actively occurring (i.e., capture when traffic is being dropped by the IPsec tunnel and not when IPsec is behaving normally):

execute time

diagnose npu np6xlite dce 0

fnsysctl cat /proc/net/np6xlite_0/fos-perf

fnsysctl cat /proc/net/np6xlite_0/ipsec-perf

fnsysctl cat /proc/net/np6xlite_0/ipsec

diagnose vpn ipsec status

diagnose npu np6xlite sse-stats

diagnose cp soc4 vpn-stats 0

diagnose vpn tunnel list

fnsysctl cat /proc/net/np6xlite_0/ipsec-ob0

fnsysctl cat /proc/net/np6xlite_0/ipsec-ib0

Note: super_admin administrator access is required to run the above commands, particularly the fnsysctl commands.

Once gathered, open a Fortinet TAC ticket and submit a file (or files) containing the output of the diagnostic commands to the ticket for further analysis.