Technical Note: How to troubleshoot NTurbo on a FortiGate

nvisentin_FTNT · ‎09-14-2016

Description

Nturbo is a solution which provides a fast path for traffic inspected by IPS. UTM features in flow mode rely on the IPS engine for traffic inspection and protection. In that case, the traffic can be processed by Nturbo to improve the performance.

Nturbo is available on NP6 and SoC3 platforms as well as the FortiGate 3240C, 3600C and 5001C.

This article provides some troubleshooting guidelines.

Solution

The following commands can be used to check if traffic is processed by the Nturbo fast path.

Debug flow

diagnose debug enable
diagnose debug flow filter <add your filter>
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 1000

TCP SYN, the Nturbo session is being programmed:

id=20085 trace_id=200 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 10.118.0.123:52466->10.5.31.1:22) from internal. flag [S], seq 2511172403, ack 0, win 29200"
(...)
id=20085 trace_id=200 func=np6lite_hif_nturbo_build_vtag line=762 msg="np6lite_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 64, vtag->vid 0
           vtag->sip[0] e313050a, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
           vtag->sport 62156, vtag->mtu 1500, vtag->flags 2, vtag->np6lite_index 0"

TCP SYN/ACK, then ACK, the Nturbo session is installed:

id=20085 trace_id=201 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 10.5.31.1:22->10.5.19.227:52466) from wan1. flag [S.], seq 2893937223, ack 2511172404, win 28960"
(…)
id=20085 trace_id=201 func=npu_handle_session44 line=987 msg="Trying to offloading session from wan1 to internal, skb.npu_flag=00000400 ses.state=00012200 ses.npu_state=0x00003094"
id=20085 trace_id=201 func=np6lite_fos_set_nturbo_ips_fwd_session line=483 msg="push nturbo session oid 4"
id=20085 trace_id=201 func=ip_session_install_npu_session line=302 msg="npu session intallation succeeded"
id=20085 trace_id=201 func=np6lite_hif_nturbo_build_vtag line=762 msg="np6lite_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 76, vtag->vid 0
           vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
           vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6lite_index 0"

id=20085 trace_id=202 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 10.118.0.123:52466->10.5.31.1:22) from internal. flag [.], seq 2511172404, ack 2893937224, win 229"
(…)
id=20085 trace_id=202 func=npu_handle_session44 line=987 msg="Trying to offloading session from internal to wan1, skb.npu_flag=00000400 ses.state=00012200 ses.npu_state=0x00003894"
id=20085 trace_id=202 func=np6lite_fos_set_nturbo_ips_fwd_session line=483 msg="push nturbo session oid 4"
id=20085 trace_id=202 func=ip_session_install_npu_session line=302 msg="npu session intallation succeeded"
id=20085 trace_id=202 func=np6lite_hif_nturbo_build_vtag line=762 msg="np6lite_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 64, vtag->vid 0
           vtag->sip[0] e313050a, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
           vtag->sport 62156, vtag->mtu 1500, vtag->flags 2, vtag->np6lite_index 0"

Nturbo / IPS application monitoring

The command “diagnose test application ipsmonitor 14” provides Nturbo counters per IPS engine:

# diagnose test application ipsmonitor 14
Turbo Engine #27198: rx 36 tx 36 frag 0 drop(vdct 0 ctag 0 view 0 tx 0 full 0 task 0 decode 0 sock 0 frag 0 de-frag 0) free 512(index 0 state 0 xmit_index 0 xmit_state 0)
Turbo Engine #27199: rx 0 tx 0 frag 0 drop(vdct 0 ctag 0 view 0 tx 0 full 0 task 0 decode 0 sock 0 frag 0 de-frag 0) free 512(index 0 state 0 xmit_index 0 xmit_state 0)2016-09-13 12:04:39
Turbo Engine #27200: rx 0 tx 0 frag 0 drop(vdct 0 ctag 0 view 0 tx 0 full 0 task 0 decode 0 sock 0 frag 0 de-frag 0) free 512(index 0 state 0 xmit_index 0 xmit_state 0)2016-09-13 12:04:39
Turbo Engine #27201: rx 0 tx 0 frag 0 drop(vdct 0 ctag 0 view 0 tx 0 full 0 task 0 decode 0 sock 0 frag 0 de-frag 0) free 512(index 0 state 0 xmit_index 0 xmit_state 0)

When the traffic is processed by Nturbo, rx and tx counters increase.

Drop counter increases when packets are dropped by the IPS Engine due to detected attacks.

Session table

“ips_offload” flag means the session is processed by Nturbo:

# diag sys session list

session info: proto=6 proto_state=01 duration=10 expire=3589 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr npu
statistic(bytes/packets/allow_err): org=1552/4/1 reply=1207/4/1 tuples=3
speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=18->3/3->18 gwy=10.5.31.1/10.118.0.123
hook=post dir=org act=snat 10.118.0.123:52466->10.5.31.1:22(10.5.19.227:52466)
hook=pre dir=reply act=dnat 10.5.31.1:22->10.5.19.227:52466(10.118.0.123:52466)
hook=post dir=reply act=noop 10.5.31.1:22->10.118.0.123:52466(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=0000341c tos=ff/ff app_list=2000 app=16060 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x003c94 ips_offload
npu info: flag=0x81/0x81, offload=8/8, ips_offload=1/1, epid=4/4, ipid=76/64, vlan=0x0000/0x0000
vlifid=76/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=2/2
total session 1