Technical Tip: Debug flow shows offloading-check failed, reason_code=2 for IPSec traffic

slovedeep · ‎07-31-2023

Description

This article describes the case when sending traffic over an IPsec tunnel, debug flow displays the following error:

id=65308 trace_id=15 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-00090049, reply direction"
id=65308 trace_id=15 func=ip_session_core_in line=6543 msg="dir-1, tun_id=192.169.1.1"
id=65308 trace_id=15 func=ipsecdev_hard_start_xmit line=662 msg="enter IPSec interface To-Tunnel-A, tun_id=192.169.1.1"
id=65308 trace_id=15 func=_do_ipsecdev_hard_start_xmit line=222 msg="output to IPSec tunnel To-Tunnel-A vrf 0"
id=65308 trace_id=15 func=esp_output4 line=920 msg="IPsec encrypt/auth"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=920 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}), npudev=-1, skb-dev=port2"
id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=965 msg="IPSec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}) offloading-check failed, reason_code=2."
id=65308 trace_id=15 func=ipsec_output_finish line=641 msg="send to 0.0.0.0 via intf-port2"

Scope

Any FortiOS on VM.

Solution

This log 'id=65308 trace_id=15 func=nipsec_set_ipsec_sa_enc line=965 msg="IPSec encrypt SA (p1/p2/spi={To-Tunnel-A/To-Tunnel-A/0x333ab007}) offloading-check failed, reason_code=2."' means that one is using VM FortiGate which does not have NPU, hence NPU offloading is not supported.

So, the traffic is being offloaded by the CPU.