- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 800C - not offloading L2TP/ipsec traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 800C - not offloading L2TP/ipsec traffic
Dears,
we have a problem with an 800C model that is not offloading L2TP/ipsec traffic.
- As you can see the model has np4 processor and all ports attached to it:
Fortinet800C (global) # get hardware npu np4 list
ID Model Slot Interface
0 On-board wan1 port1 wan2 port2
port3 port4 port5 port6
port7 port8 port9 port10
port11 port12 port13 port14
port15 port16 port17 port18
port19 port20 port21 port22
port23 port24 npu0-vlink0 npu0-vlink1
- We configured the ipsec parameters to be offloaded over np4:
Fortinet800C (global) # config system npu
Fortinet800C (npu) # get
enc-offload-antireplay: enable
dec-offload-antireplay: enable
offload-ipsec-host : enable
- In the phase1 the local-id is set and the npu-offload is enabled:
Fortinet800C (SWL2TP) # get
name : SWL2TP
type : dynamic
interface : port3
ike-version : 1
local-gw : 79.x.x.x
keylife : 86400
authmethod : psk
mode : main
peertype : any
mode-cfg : disable
proposal : aes256-md5 3des-sha1 aes192-sha1
add-route : disable
exchange-interface-ip: disable
localid :
localid-type : auto
negotiate-timeout : 30
fragmentation : enable
dpd : disable
forticlient-enforcement: disable
comments :
npu-offload : enable
dhgrp : 2
suite-b : disable
wizard-type : custom
xauthtype : disable
idle-timeout : disable
ha-sync-esp-seqno : enable
nattraversal : enable
psksecret : *
keepalive : 10
distance : 15
priority : 0
- In the firewall policy the auto-asic-offload parameter is enabled:
Fortinet800C (3) # get
policyid : 3
name : L2TP_NET
uuid : 40f10106-6749-51e7-cb5c-80e35f26febf
srcintf : "port3"
dstintf : "port3"
srcaddr : "SWL2TP_range"
dstaddr : "all"
rtp-nat : disable
learning-mode : disable
action : accept
status : enable
schedule : always
schedule-timeout : disable
service : "ALL"
utm-status : disable
logtraffic : all
logtraffic-start : disable
capture-packet : disable
auto-asic-offload : enable
wanopt : disable
webcache : disable
session-ttl : 0
vlan-cos-fwd : 255
vlan-cos-rev : 255
wccp : disable
groups :
users :
devices :
disclaimer : disable
natip : 0.0.0.0 0.0.0.0
diffserv-forward : disable
diffserv-reverse : disable
tcp-mss-sender : 0
tcp-mss-receiver : 0
comments :
block-notification : disable
custom-log-fields :
tags :
replacemsg-override-group:
srcaddr-negate : disable
dstaddr-negate : disable
service-negate : disable
timeout-send-rst : disable
captive-portal-exempt: disable
ssl-mirror : disable
ssl-mirror-intf :
scan-botnet-connections: disable
dsri : disable
delay-tcp-npu-sessoin: disable
traffic-shaper :
traffic-shaper-reverse:
per-ip-shaper :
nat : enable
permit-any-host : disable
permit-stun-host : disable
fixedport : disable
ippool : disable
match-vip : disable
- The problem is when the vpn is estblished the np4 is not used:
Fortinet800C (Da_sw) # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP4_0
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
aes-gcm: 0 0
aria: 0 0
seed: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
sha384: 0 0
sha512: 0 0
NPU HARDWARE
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
aes-gcm: 0 0
aria: 0 0
seed: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
sha384: 0 0
sha512: 0 0
CP8:
null: 0 0
des: 0 0
3des: 74621 94056
aes: 8160 5608
aes-gcm: 0 0
aria: 0 0
seed: 0 0
null: 0 0
md5: 8160 5608
sha1: 74621 94056
sha256: 0 0
sha384: 0 0
sha512: 0 0
SOFTWARE:
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
aes-gcm: 0 0
aria: 0 0
seed: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
sha384: 0 0
sha512: 0 0
- In the session list the reason why the npu is not used is non-npu-intf :
session info: proto=6 proto_state=01 duration=2 expire=3598 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty synced none
statistic(bytes/packets/allow_err): org=776/9/1 reply=5171/8/1 tuples=2
tx speed(Bps/kbps): 366/2 rx speed(Bps/kbps): 2439/19
orgin->sink: org pre->post, reply pre->post dev=61->9/9->61 gwy=79.x.x.x/10.11.0.2
hook=post dir=org act=snat 10.11.0.2:61826->172.x.x.x:443(79.x.x.x:61826)
hook=pre dir=reply act=dnat 172.x.x.x:443->79.x.x.x:61826(10.11.0.2:61826)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=3
serial=0004cde4 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x040000
no_ofld_reason: non-npu-intf
We are using 5.4.4 firmware
Grateful for help - what are we missing?
Labels:
- Labels:
-
5.4
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
l2tp vpn offloading to npu is not supported
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
Related Posts
- SSL-OffLoading (HTTP --> HTTPS) 400 Views
- VPN intermittent traffic lost, found reverse... 875 Views
- Fortigate reverse proxcy with folder 127 Views
- Tunnel to cisco router keeps doing... 388 Views
- FortiGate SMTP Traffic 572 Views
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.