|
Sometimes, the debug flow displays the following errors:
id=20085 trace_id=4 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={phase1/phase2/0xbc3596b6}) offloading-check failed, reason_code=3.
This error occurs because the NPU does not support the type of encryption algorithm used in the phase 2 configuration. To fix this issue, choose a new encryption algorithm.
id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=936 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}), npudev=-1, skb-dev=port4"
id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=985 msg="IPSec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}) offloading-check failed, reason_code=2."
The kernel will check if hardware encryption is available for IPsec. If not, it will use software to perform the encryption. When offloading is not available, reason_code=2 will appear in the debug flow: this is not an issue.
[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=958 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}), npudev=1, skb-dev=port10"
[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}) offloading-check failed, reason_code=1."
The 'reason_code=1' indicates that IPsec NPU offload is disabled. When you disable IPsec NPU offloading, reason_code=1 will appear in the debug flow.
Refer to the FortiGate cookbook for a list of which encryption algorithms support NPU offloading:
|
