Description
This article describes NP6 limitations due to which packets egressing NP6 can be out of order under certain conditions.
Scope
FortiGate with NP6 processor.
Solution
When a session is offloaded in NP6, packets can leave out of order under certain conditions:
- NP6 is under load.
- Some packets within a session are fragmented.
- IPsec traffic over NP6.
NP6 is under load.
In cases where NP6 is under heavy load, packets can be sent out of order. To mitigate the issue, disable np-accelleration offloading (globally, or per-policy), or disable ASIC offloading per policy (which will also disable NP acceleration).
Some packets within a session are fragmented.
NP6 does not re-assemble IP-fragmented packets. These packets will be delivered to the CPU for processing and out-of-order behavior can be observed. To mitigate the issue, disable offloading (which can be policy-based).
IPsec in NP6.
IPsec packets are processed differently in NP6 and smaller packets may be processed faster than larger ones, causing them to egress out of order. Disable fastpath or modify an IPsec subengine mask.
To resolve this behavior, the following actions can be taken:
- Disable offloading on the policy.
- Disable fastpath or modify a subengine mask for IPsec issues.
- Delay the session offload to NP :
config firewall policy
set delay-tcp-npu-session enable
end
Related articles:
Technical Tip: FortiGate Disable Hardware Acceleration
Troubleshooting Tip: Is a session offloaded? (Hardware acceleration)
