Troubleshooting Tip: Numerous occurrences of high ...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 387109

Description

This article describes how to reduce occurrences of high CPU usage due to many IPsec tunnels using only one vCPU.

Scope

FortiGate-VM.

Solution

FortiOS has an interface to CPU core mapping meaning a specific tunnel will be handled by an individual CPU core. An uneven usage of tunnels can therefore cause an uneven spread of CPU usage. To reduce load on a single vCPU distribute load to multiple vCPUs (if available on the model):

Check via GUI on the dashboard to make sure that the license provides for two or more vCPUs.

vcpu dashboard.jpg

Check by executing this command in the firewall CLI:

vcpu license.jpg

Enter the following command in the CLI to distribute decryption tasks

set ipsec-soft-dec-async enable

Since 7.0.8, FortiOS supports not only the spread of decryption tasks, but also to redistribute encrypted or decrypted packets across multiple CPU cores.

To distribute encrypted packets:

config system global

set ipsec-round-robin {enable | disable}

end

To distribute decrypted packets:

config vpn ipsec phase1-interface

edit <name>

set packet-redistribution {enable | disable}

end

Verify that the load is distributed on the two vCPUs.

diagnose vpn ipsec cpu

Example output:

CPU enc dec-in dec dec-out
0 98 98 91 91 First vCPU
1 0 0 7 7 Second vCPU

453

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: Numerous occurrences of high CPU usage due to many IPsec tunnels using only one vCPU in VM

You are leaving our website