FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 208035
Description This article describes why, in some cases where NPU offloading is enabled on IPsec tunnels, the NP6 IPsec engine may drop ESP packets due to large amount of layer 2 padding. A solution is offered.



First, capture the traffic over the IPsec tunnel of the FortiGate.


Note that there is outbound traffic but no inbound traffic.


diag sniffer packet any 'host' 4 0 l

2021-11-03 19:20:31.343034 port7 out -> ESP(spi=0xac6e0cbe,seq=0x4e)
2021-11-03 19:20:31.454182 port7 out -> ESP(spi=0xac6e0cbe,seq=0x4f)
2021-11-03 19:20:32.794925 port7 out -> ESP(spi=0xac6e0cbe,seq=0x50)
2021-11-03 19:20:33.151516 port7 out -> ESP(spi=0xac6e0cbe,seq=0x51)
2021-11-03 19:20:33.151591 port7 out -> ESP(spi=0xac6e0cbe,seq=0x52)
2021-11-03 19:20:33.151669 port7 out -> ESP(spi=0xac6e0cbe,seq=0x53)
2021-11-03 19:20:33.151707 port7 out -> ESP(spi=0xac6e0cbe,seq=0x54)
2021-11-03 19:20:34.791762 port7 out -> ESP(spi=0xac6e0cbe,seq=0x55)
2021-11-03 19:20:35.114577 port7 out -> ESP(spi=0xac6e0cbe,seq=0x56)


Additionally, checking the NPU will show drops over the IPsec engine.


diagnose npu np6 dce 0
IHP0_PKTCHK :0000000000007388 [5a] IHP1_PKTCHK :0000000000301745 [5b]
XHP0_PKTCHK :0000000000003229 [5e] XHP1_PKTCHK :0000000000003405 [5f]
IPSEC0_ENGINB0 :0000000000547093 [80] IPSEC0_ENGINB1 :0000000000031693 [81]
IPSEC0_ENGINB2 :0000000000000655 [82] IPSEC0_ENGINB3 :0000000000000174 [83]
IPSEC0_ENGINB4 :0000000000000074 [84] IPSEC0_ENGINB5 :0000000000000057 [85]
IPSEC0_ENGINB6 :0000000000000022 [86] IPSEC0_ENGINB7 :0000000000000004 [87]
IPSEC1_IQUEUE :0000000000000001 [88] IPSEC1_ENGINB0 :0000000000418401 [89]

IPSEC1_ENGINB1 :0000000000017379 [8a] IPSEC1_ENGINB2 :0000000000000746 [8b]
IPSEC1_ENGINB3 :0000000000000429 [8c] IPSEC1_ENGINB4 :0000000000000117 [8d]
IPSEC1_ENGINB5 :0000000000000086 [8e] IPSEC1_ENGINB6 :0000000000000051 [8f]


diag npu np6 dce 1
IHP0_PKTCHK :0000000000020296 [5a] XHP0_PKTCHK :0000000000000005 [5e]
IPSEC0_ENGINB6 :0000000003712039 [86] IPSEC0_ENGINB7 :0000000006713629 [87]
PDQ_OSW_IPSEC1I :0000000014154116 [a7]


Test by disabling NPU offloading under IPsec phase1 tunnel and check if the inbound traffic will pass as expected. 


config vpn ipsec phase1-interfac

    edit <phase1-name>

        set npu-offload disable



If the traffic passes as expected, enable strip padding under system NPU, reboot the FortiGate. Note that if there is an HA cluster, it will be necessary to reboot all of the units in the HA clusters. After, enable npu-offload again.


config system npu
     set strip-esp-padding enable
     set strip-clear-text-padding enable


After, offloading will be enabled and the ESP traffic will pass successfully. 


Related article:

Stripping clear text padding an IPsec session esp padding - FortiGate documentation.