Troubleshooting Tip: Packet loss when Adaptive Forward Error Correction (FEC) is enabled

nalexiou · ‎12-10-2024

Description

This article explains how to mitigate packet loss when FEC is used.

Scope

FortiOS.

Solution

FEC does not support NPU offloading but traffic that does not require FEC can be identified and offloaded.

This is improving the performance for traffic that can be offloaded.

Therefore this is suggested to enable offloading under phase1:

config vpn ipsec phase1-interface
    edit "tunnel"
        set npu-offload enable
        set fec-ingress enable
    next
end

This can cause packet loss caused by anti-replay.

The behavior is expected when npu-offloading and FEC are enabled. To avoid experiencing packet loss offloading or anti-replay, enable these options.

To disable offloading:

config vpn ipsec phase1-interface
    edit "tunnel"
        set npu-offload disable
        set fec-ingress enable
    next
end

To disable anti replay:

config vpn ipsec phase2-interface
    edit <phase2-name>
        set replay disable
    end

Additional recommended measure is to make sure there is a dedicated firewall policy for traffic sensitive to packet loss where FEC is enabled to separate it from other traffic that will not have FEC applied to it:

config firewall policy

edit <id>

.........

set fec enable

Troubleshooting Tip: Packet loss when Adaptive Forward Error Correction (FEC) is enabled

You are leaving our website