Troubleshooting Tip: Packet Capture IPSec traffic with NP Offload

darisandy · ‎11-12-2024

Description

This article describes how to do a packet capture when NP offload is enabled.

Scope

FortiGate.

Solution

During packet capture, there will be a scenario wherein not all expected packet was captured.

This is because NP offload (hardware acceleration module) was enabled.

To make sure that all packets which are received and processed by FortiGate are captured, disabling NP offload is needed.

Disabling the feature on the firewall policy is recommended because it will be enforced to interesting traffic only.

config firewall policy

edit <policy ID>

set np-acceleration disable

set auto-asic-offload disable

end

But in the case of traffic passing through the IPSec tunnel, there will be a time wherein ESP packet capture is needed.

There is also an NP Offload option on the IPSec tunnel phase1 setting.

With this enabled, the packet capture will only show one-way ESP traffic.

dia vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=S2S ver=1 serial=1 10.121.0.122:0->10.121.2.141:0 nexthop=10.121.2.141 tun_id=10.121.2.141 tun_id6=::10.121.2.141 status=up dst_
mtu=1500 weight=1
bound_if=15 real_if=15 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_
traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=100 txp=120 rxb=16518 txb=11214
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=S2S proto=0 sa=1 ref=3 serial=1
src: 0:10.122.0.0-10.122.15.255:0
dst: 0:10.171.0.0-10.171.15.255:0
SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42778/0B replaywin=2048
seqno=77 esn=0 replaywin_lastseq=00000063 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=caecf3f8 esp=aes key=16 c3b5d20be85c00c03f7d10aa5c28e3bd
ah=sha1 key=20 6496540ad89006aeeddedd99d383c3cbb51000d3
enc: spi=b418f662 esp=aes key=16 a10b178af88a0f6a0cac31f7aa18a8af
ah=sha1 key=20 97a23af8cead538b549dbff2f227ba6e65dcca3f
dec:pkts/bytes=1/84, enc:pkts/bytes=117/17784
npu_flag=03 npu_rgwy=10.121.2.141 npu_lgwy=10.121.0.122 npu_selid=0 dec_npuid=1 enc_npuid=1 npu_isaidx=1 npu_osaidx=1

dia sniff pack port5 "esp" 4
interfaces=[port5]
filters=[esp]
0.068708 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f662,seq=0x69)
1.068886 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f662,seq=0x6a)
2.069141 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f662,seq=0x6b)
3.069416 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f662,seq=0x6c)
4.069505 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f662,seq=0x6d)

When NP Offload is disabled, packet capture will show the ESP packet both ways. The SPI value was different than the previous example because the tunnel was restarted.

config vpn ipsec phase1-interface

edit <tunnel name>

set npu-offload disable

end

dia vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=S2S ver=1 serial=1 10.121.0.122:0->10.121.2.141:0 nexthop=10.121.2.141 tun_id=10.121.2.141 tun_id6=::10.121.2.141 status=up dst_
mtu=1500 weight=1
bound_if=15 real_if=15 lgwy=static/1 tun=intf mode=auto/1 encap=none/544 options[0220]=frag-rfc run_state=0 role=primary accept_traf
fic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=0 olast=0 ad=/0
stat: rxp=5 txp=5 rxb=420 txb=420
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=S2S proto=0 sa=1 ref=3 serial=1
src: 0:10.122.0.0-10.122.15.255:0
dst: 0:10.171.0.0-10.171.15.255:0
SA: ref=3 options=10226 type=00 soft=0 mtu=1438 expire=42852/0B replaywin=2048
seqno=6 esn=0 replaywin_lastseq=00000006 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=e3c5a70a esp=aes key=16 d6fdfc00e6ee394149ed26c36954d43d
ah=sha1 key=20 309dbb0205f516738ae3b1ba1e4b257237702f63
enc: spi=b418f663 esp=aes key=16 83c6e967daec4cbb85b9dc20f6427fe5
ah=sha1 key=20 a052c0aa97ad520d2f4e82fa4fb1bb971984f54c
dec:pkts/bytes=5/420, enc:pkts/bytes=5/760
npu_flag=00 npu_rgwy=10.121.2.141 npu_lgwy=10.121.0.122 npu_selid=0 dec_npuid=0 enc_npuid=0 npu_isaidx=-1 npu_osaidx=-1

dia sniff pack port5 "esp" 4
interfaces=[port5]
filters=[esp]
0.253908 port5 -- 10.121.2.141 -> 10.121.0.122: ESP(spi=0xe3c5a70a,seq=0xf)
0.254021 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f663,seq=0xf)
1.254105 port5 -- 10.121.2.141 -> 10.121.0.122: ESP(spi=0xe3c5a70a,seq=0x10)
1.254216 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f663,seq=0x10)
2.254278 port5 -- 10.121.2.141 -> 10.121.0.122: ESP(spi=0xe3c5a70a,seq=0x11)
2.254372 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f663,seq=0x11)
3.254473 port5 -- 10.121.2.141 -> 10.121.0.122: ESP(spi=0xe3c5a70a,seq=0x12)
3.254568 port5 -- 10.121.0.122 -> 10.121.2.141: ESP(spi=0xb418f663,seq=0x12)

npu_flag=00 <-- Means that ingress & egress ESP packets are not offloaded.
npu_flag=01 <-- Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel.
npu_flag=02 <-- Means only ingress ESP packets can be offloaded, and egress ESP packets will be handled by the kernel.
npu_flag=03 <-- Means that both ingress & egress ESP packets will be offloaded.

When several IPSec tunnels are mapped to the same interface, packet capture needs to specify the related SPI values.

On port 500:

diag sniff packet <interface name> "host <remote gw> and esp and (ip[20:4]==0x<SPI1> or ip [20:4]==0x<SPI2>)" 6 0 l

On port 4500:

diag sniff packet <interface name> "host <remote gw> and udp port 4500 and (udp[8:4]==0x<SPI1> or udp [8:4]==0x<SPI2>)" 6 0 l

Troubleshooting Tip: Packet Capture IPSec traffic with NP Offload

You are leaving our website