This article explains the meaning of the error 'offloading-check failed, reason_code=1, 2,3' as it appears in debug flow outputs.

Sometimes, the debug flow displays the following errors:

id=20085 trace_id=4 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={phase1/phase2/0xbc3596b6}) offloading-check failed, reason_code=3.

This error occurs because the NPU does not support the type of encryption algorithm used in the phase 2 configuration. To fix this issue, choose a new encryption algorithm.

id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=936 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}), npudev=-1, skb-dev=port4"
id=65308 trace_id=2 func=nipsec_set_ipsec_sa_enc line=985 msg="IPSec encrypt SA (p1/p2/spi={IPSEC/IPSEC/0x58039dc8}) offloading-check failed, reason_code=2."

The kernel will check if hardware encryption is available for IPsec. If not, it will use software to perform the encryption. When offloading is not available, reason_code=2 will appear in the debug flow: this is not an issue.

[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=958 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}), npudev=1, skb-dev=port10"
[FPC01] id=20085 trace_id=18 func=nipsec_set_ipsec_sa_enc line=1002 msg="IPSec encrypt SA (p1/p2/spi={NETSKOP/NETSKOP/0xb43598b6}) offloading-check failed, reason_code=1."

The 'reason_code=1' indicates that IPsec NPU offload is disabled. When you disable IPsec NPU offloading, reason_code=1 will appear in the debug flow.

Refer to the FortiGate cookbook for a list of which encryption algorithms support NPU offloading:

• Encryption algorithms v6.2.10
• Encryption algorithms v7.4.0