|
After an upgrade, the status of the IPsec VPN tunnel appears normal but the multicast traffic fails to reach remote FortiGate.
Sniffer shows that the packets are transmitted but these packets are not forwarded out by NP.
Sniffer Output:
diagnose sniffer packet any "host 10.250.63.X and host 224.0.0.5" 4 0 l
interfaces=[any]
filters=[host 10.250.63.234 and host 224.0.0.5]
2024-01-22 18:28:48.302480 vpn out 10.250.63.X -> 224.0.0.5: ip-proto-89 44
2024-01-22 18:28:58.402610 vpn out 10.250.63.X -> 224.0.0.5: ip-proto-89 44
2024-01-22 18:29:08.052771 vpn out 10.250.63.X -> 224.0.0.5: ip-proto-89 44
diagnose sniffer packet any "host 10.250.63.X and host 224.0.0.5" 4 0 l
interfaces=[any]
filters=[host 10.250.63.234 and host 224.0.0.5]
<No packets arrived>
NP drops can be verified using the following commands when multiple iterations of the output are captured:
diagnose npu np6xlite dce 0
DROP_APS_HTX0 :0000000000000148[58]
diagnose npu np6xlite anomaly-drop 0
IHP0:
IHP1:
IHP2:
IHP3:
XHP0:
XHP1:
HTX0:
ipv4_proto_err :0000000000000068[c1]
This issue is resolved in v7.4.4, scheduled for release by the end of March, 2024 (subject to change).
Workaround:
Disable npu-offload under the IPsec Phase-1 interface. Below are the commands to disable NPU offloading:
config vpn ipsec phase1-interface
edit <name>
set npu-offload disable
end
NOTE: Disabling NPU may cause the IPsec tunnel to flap and the traffic to be processed by the CPU.
|
