Fortinet black logo

CAPWAP Offloading (NP6 only)

6.2.0
Copy Link
Copy Doc ID ac61f4d3-ce67-11e9-8977-00505692583a:577050
Download PDF

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all high-end and most mid-range FortiGate models.

NP6 offloading over CAPWAP configuration

NP6 offloading over CAPWAP traffic is supported with traffic from tunnel mode virtual APs. The WTP data channel DTLS policy (dtls-policy) must be set to clear-text or ipsec-vpn in the WTP profile (wireless-controller wtp-profile). Traffic is not offloaded if it is fragmented.

NP6 session fast path requirements:

  1. Enable offloading managed FortiAP and FortiLink CAPWAP sessions:
    config system npu
        set capwap-offload enable
    end
  2. Enable offloading security profile processing to CP processors in the policy:

    config firewall policy
        edit 1
            set auto-asic-offload enable
        next
    end

Verify the system session of NP6 offloading

  • Check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8
    FG1K2D3I16800192 (vdom1) # diagnose sys session list
        session info: proto=6 proto_state=01 duration=21 expire=3591 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
        origin-shaper=
        reply-shaper=
        per_ip_shaper=
        class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
        state=log may_dirty npu f00 
        statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=52/1/1 tuples=2
        tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
        orgin->sink: org pre->post, reply pre->post dev=57->37/37->57 gwy=172.16.200.44/10.65.1.2
        hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(172.16.200.65:50452)
        hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50452(10.65.1.2:50452)
        pos/(before,after) 0/(0,0), 0/(0,0)
        misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
        serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0
        rpdb_link_id = 00000000
        dd_type=0 dd_mode=0
        npu_state=0x000c00
        npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158/216, ipid=216/158, vlan=0x0000/0x0000
        vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=4/2
    total session 1
  • Check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8
    FG1K2D3I16800192 (vdom1) # diagnose sys session list
        session info: proto=6 proto_state=01 duration=7 expire=3592 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
        origin-shaper=
        reply-shaper=
        per_ip_shaper=
        class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/255
        state=log may_dirty npu f00 
        statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tuples=2
        tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
        orgin->sink: org pre->post, reply pre->post dev=57->37/37->57 gwy=172.16.200.44/10.65.1.2
        hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(172.16.200.65:50575)
        hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50575(10.65.1.2:50575)
        pos/(before,after) 0/(0,0), 0/(0,0)
        misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
        serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0
        rpdb_link_id = 00000000
        dd_type=0 dd_mode=0
        npu_state=0x000c00
        npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158/216, ipid=216/158, vlan=0x0000/0x0000
        vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=0/0
    total session 1

CAPWAP Offloading (NP6 only)

Simple Network Topology

NP6 offloading over CAPWAP traffic is supported by all high-end and most mid-range FortiGate models.

NP6 offloading over CAPWAP configuration

NP6 offloading over CAPWAP traffic is supported with traffic from tunnel mode virtual APs. The WTP data channel DTLS policy (dtls-policy) must be set to clear-text or ipsec-vpn in the WTP profile (wireless-controller wtp-profile). Traffic is not offloaded if it is fragmented.

NP6 session fast path requirements:

  1. Enable offloading managed FortiAP and FortiLink CAPWAP sessions:
    config system npu
        set capwap-offload enable
    end
  2. Enable offloading security profile processing to CP processors in the policy:

    config firewall policy
        edit 1
            set auto-asic-offload enable
        next
    end

Verify the system session of NP6 offloading

  • Check the system session, when dtls-policy=clear-text to verify npu info: flag=0x81/0x89, offload=8/8
    FG1K2D3I16800192 (vdom1) # diagnose sys session list
        session info: proto=6 proto_state=01 duration=21 expire=3591 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
        origin-shaper=
        reply-shaper=
        per_ip_shaper=
        class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
        state=log may_dirty npu f00 
        statistic(bytes/packets/allow_err): org=16761744/11708/1 reply=52/1/1 tuples=2
        tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
        orgin->sink: org pre->post, reply pre->post dev=57->37/37->57 gwy=172.16.200.44/10.65.1.2
        hook=post dir=org act=snat 10.65.1.2:50452->172.16.200.44:5001(172.16.200.65:50452)
        hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50452(10.65.1.2:50452)
        pos/(before,after) 0/(0,0), 0/(0,0)
        misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
        serial=00009a97 tos=ff/ff app_list=0 app=0 url_cat=0
        rpdb_link_id = 00000000
        dd_type=0 dd_mode=0
        npu_state=0x000c00
        npu info: flag=0x81/0x89, offload=8/8, ips_offload=0/0, epid=158/216, ipid=216/158, vlan=0x0000/0x0000
        vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=4/2
    total session 1
  • Check the system session, when dtls-policy=ipsec-vpn to verify npu info: flag=0x81/0x82, offload=8/8
    FG1K2D3I16800192 (vdom1) # diagnose sys session list
        session info: proto=6 proto_state=01 duration=7 expire=3592 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
        origin-shaper=
        reply-shaper=
        per_ip_shaper=
        class_id=0 ha_id=0 policy_dir=0 tunnel=/wlc-004100_0 vlan_cos=0/255
        state=log may_dirty npu f00 
        statistic(bytes/packets/allow_err): org=92/2/1 reply=92/2/1 tuples=2
        tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
        orgin->sink: org pre->post, reply pre->post dev=57->37/37->57 gwy=172.16.200.44/10.65.1.2
        hook=post dir=org act=snat 10.65.1.2:50575->172.16.200.44:5001(172.16.200.65:50575)
        hook=pre dir=reply act=dnat 172.16.200.44:5001->172.16.200.65:50575(10.65.1.2:50575)
        pos/(before,after) 0/(0,0), 0/(0,0)
        misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=1
        serial=0000a393 tos=ff/ff app_list=0 app=0 url_cat=0
        rpdb_link_id = 00000000
        dd_type=0 dd_mode=0
        npu_state=0x000c00
        npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=158/216, ipid=216/158, vlan=0x0000/0x0000
        vlifid=216/158, vtag_in=0x0000/0x0000 in_npu=2/2, out_npu=2/2, fwd_en=0/0, qid=0/0
    total session 1