Description | This article describes how to resolve an issue where the multicast traffic fails to traverse over the IPsec tunnel after an upgrade. This is a result of the NP6 chip dropping multicast packets. |
Scope | FortiGate devices running firmware version 7.4.2. |
Solution |
After an upgrade, the status of the IPsec VPN tunnel appears normal but the multicast traffic fails to reach remote FortiGate. Sniffer Output:
diagnose sniffer packet any "host 10.250.63.X and host 224.0.0.5" 4 0 l diagnose sniffer packet any "host 10.250.63.X and host 224.0.0.5" 4 0 l NP drops can be verified using the following commands when multiple iterations of the output are captured:
diagnose npu np6xlite anomaly-drop 0 This issue has been resolved in FortiOS version 7.4.4. Workaround:
edit <name> set npu-offload disable end NOTE: Disabling NPU may cause the IPsec tunnel to flap and the traffic to be processed by the CPU. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.