Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff

Created on ‎12-22-2022 01:18 AM Edited on ‎11-22-2025 06:15 AM By Community Manager

Article Id 240634

Troubleshooting Tip: The debug flow shows an offloading-check failed for IPsec traffic

Description

This article describes the meaning of the error 'offloading-check failed, reason_code=1,2,3' as it appears in debug flow outputs.
Scope Any version of the FortiOS.
Solution

FortiGate's Network Processing Units (NPU) are hardware accelerators designed to offload resource-intensive tasks from the CPU. For IPsec tunnel traffic on devices that support NPUs, packet encryption and decryption and normally offloaded from the CPU to the NPU. This process allows FortiGate to achieve more optimal VPN performance. To diagnose NPU-based interfaces, refer to Diagnosing NPU-based interfaces.

 

In some instances, the debug flow displays the following errors:

 

  1. First error:

 

offloading-check failed, reason_code=3

 

id=20085 trace_id=4 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={phase1/phase2/0xbc3596b6}) offloading-check failed, reason_code=3.

 

This error occurs because the NPU does not support the type of encryption algorithm used in the phase 2 configuration. To fix this issue, choose a new encryption algorithm. Refer to the FortiGate cookbook for a list of supported encryption algorithms.

Encryption algorithms v7.6.4

Encryption algorithms v7.4.9

 

  1. Second error:

 

offloading-check failed, reason_code=2

 

id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=936 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}), npudev=-1, skb-dev=port4"
id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=985 msg="IPSec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}) offloading-check failed, reason_code=2."


The kernel will check if hardware encryption is available for IPsec. If not, it will use software to perform the encryption. When offloading is not available, reason_code=2 will appear in the debug flow: this is not an issue.

 

  1. Third error:

 

offloading-check failed, reason_code=1

 

[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=958 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}), npudev=1, skb-dev=port10"
[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}) offloading-check failed, reason_code=1."

 

The 'reason_code=1' indicates that IPsec NPU offload is disabled. When disabling IPsec NPU offloading, reason_code=1 will appear in the debug flow. NPU offloading can be disabled in two ways:
Labels:
4805
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.